On the 25th of May 2018, the new General Data Protection Regulations of the European Union are coming into power. Let’s review few the most important facts and find out the way to adjust the company policy.
GDPR Applies to All
For the first time in the history – the European Union created the regulations which are viable outside the EU. That means that any company sharing their businesses with EU companies or citizens will have to comply with the GDPR requirements. Together with requirements for companies, there is also there extended rights for individuals:
- to be informed
- right of access
- rectification
- right to erasure
- restrict processing
- right to data portability, which only applies:
- to personal data, an individual has provided to a controller;
- where processing is based on the individual’s consent or for the performance of a contract;
- when processing is carried out by automated means.
- right to object
- not to be subject to automated decision-making, including profiling
- data portability only applies to the instances mentioned above, however, it’s really important that you are able to provide data in a structured and commonly used machine-readable format. This should be done free of charge.
GDPR Extends the Definition of Personal Data
The regulations say that any data that can identify an individual is personal data, including genetic, mental, cultural, economic and social information. Due to this, IT companies which were unaffected by the data protection laws will need to ensure compatibility with the new requirements.
From now on, hardly any personal data will not fall under the GDPR, making it difficult for organizations to avoid having to comply with its requirements.
The directive tightens the rules for obtaining valid consent to using personal information. One of the biggest challenges of the new policy is to prove valid consent for using personal information. In the future, it will be important for organizations to explain exactly what personal data they are collecting and how it is processed and used. Without valid consent, any personal data processing activities should be shut down by the authorities.
The Appointment of DPO and Introduction of PIAs
The new Data Protection Directive requires the appointment of the Data Protection Officer, which should secure the company from breaches and inform in case of any violations. The role of DPO should be performed by an independent person with a strong law background. Also, the inclusion of privacy impact assessments (PIAs) in the GDPR is mandatory. It requires data controllers to conduct PIAs where privacy breach risks are high. This means before beginning projects involving personal information, the company have to conduct a privacy risk assessment and work with the DPO to ensure compliance.
Data Breach Notification Requirement
The GDPR harmonizes the various data breach notification laws in Europe and is aimed at ensuring organizations constantly monitor for breaches of personal data. The regulation requires organizations (DPO) to notify the local data protection authority of a data breach within 72 hours of discovering it.
For many organizations, it requires an additional set of training, making changes to internal data security policies, ensuring that data breaches are properly understood and will be recognized easily.
The Right to be Forgotten
The Policy brings beneficial right to be forgotten. That is the data minimization principle that requires not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject. This requirement sounds very promising for employees who did not perform well enough on previous work and would like it to not influence the future job. But it doesn’t work in this way, an employer should keep the records regarding the employee accordingly to the local law, and provide performance information on the request while providing any other personal data (date of birth, family information, health data, etc.)
Data Audit
An important is to be aware of all of the data an organization currently uses. This needs to be well documented and a clear audit trail should be kept. If you hold incorrect data and it is shared with another organization, it will be your responsibility to update them so that they can correct their records. Having a clear understanding of the data and information you hold will not only make things easier but will help you to show that you are in compliance with the GDPR accountability principle.
Update Privacy Information
Under the current data protection laws, the company should have a privacy policy that clearly explains whose personal data is collected and how it is planned to be used, this includes: explaining the lawful basis for processing personal information and data retention periods. It’s essential that information is presented in a clear and concise manner and that it is easy for people to understand – bear in mind that the average person isn’t likely to know what GDPR is or have been pre-exposed to the same terminology and research as professionals have!
So, what should you do to comply with the GDPR:
- educate employees regarding GDPR – every employee, doesn’t matter the rank, should have enough knowledge regarding the policy and be able to report the violation;
- assess privacy data – organization should know what data is being collected, why and how is being processed;
- review personal data consent requests – every organization that collects and processes data should make all necessary adjustments to achieve compliance;
- check data management procedures – assess what data has been used for, and audit how it has been processed;
- document data privacy by design – organizations collecting and processing personal data must design products, services, and public-facing communication infrastructure, with privacy in mind, from the very beginning of the development process;
- develop procedures for security breaches – document the procedure for notifying data subjects that a security breach has occurred;
- assess the need to hire a DPO – enterprise if you should appoint a designated lead data protection authority for the organization;
- perform data protection impact assessments – while this assessment is mandatory for future development, it can also be useful when looking back at past projects.
Summing up
The new General Data Protection Regulations of European Union is ought to protect citizens from any kind of violations. As described above, the directive is going to turn business upside-down. In order to get compliant with new rules – the organization should set a list of training for employees, define the weak sides where breaches are possible and set up the procedures. Inoxoft is ready to design a software, which will keep your company far from violations.
