Have a project in mind?
Let’s get in touch!On the 25th of May 2018, the new General Data Protection Regulations of the European Union are coming into power. Let’s review few the most important facts and find out the way to adjust the company policy.
For the first time in the history – the European Union created the regulations which are viable outside the EU. That means that any company sharing their businesses with EU companies or citizens will have to comply with the GDPR requirements. Together with requirements for companies, there is also there extended rights for individuals:
The regulations say that any data that can identify an individual is personal data, including genetic, mental, cultural, economic and social information. Due to this, IT companies which were unaffected by the data protection laws will need to ensure compatibility with the new requirements.
From now on, hardly any personal data will not fall under the GDPR, making it difficult for organizations to avoid having to comply with its requirements.
The directive tightens the rules for obtaining valid consent to using personal information. One of the biggest challenges of the new policy is to prove valid consent for using personal information. In the future, it will be important for organizations to explain exactly what personal data they are collecting and how it is processed and used. Without valid consent, any personal data processing activities should be shut down by the authorities.
The new Data Protection Directive requires the appointment of the Data Protection Officer, which should secure the company from breaches and inform in case of any violations. The role of DPO should be performed by an independent person with a strong law background. Also, the inclusion of privacy impact assessments (PIAs) in the GDPR is mandatory. It requires data controllers to conduct PIAs where privacy breach risks are high. This means before beginning projects involving personal information, the company have to conduct a privacy risk assessment and work with the DPO to ensure compliance.
The GDPR harmonizes the various data breach notification laws in Europe and is aimed at ensuring organizations constantly monitor for breaches of personal data. The regulation requires organizations (DPO) to notify the local data protection authority of a data breach within 72 hours of discovering it.
For many organizations, it requires an additional set of training, making changes to internal data security policies, ensuring that data breaches are properly understood and will be recognized easily.
The Policy brings beneficial right to be forgotten. That is the data minimization principle that requires not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject. This requirement sounds very promising for employees who did not perform well enough on previous work and would like it to not influence the future job. But it doesn’t work in this way, an employer should keep the records regarding the employee accordingly to the local law, and provide performance information on the request while providing any other personal data (date of birth, family information, health data, etc.)
An important is to be aware of all of the data an organization currently uses. This needs to be well documented and a clear audit trail should be kept. If you hold incorrect data and it is shared with another organization, it will be your responsibility to update them so that they can correct their records. Having a clear understanding of the data and information you hold will not only make things easier but will help you to show that you are in compliance with the GDPR accountability principle.
Under the current data protection laws, the company should have a privacy policy that clearly explains whose personal data is collected and how it is planned to be used, this includes: explaining the lawful basis for processing personal information and data retention periods. It’s essential that information is presented in a clear and concise manner and that it is easy for people to understand – bear in mind that the average person isn’t likely to know what GDPR is or have been pre-exposed to the same terminology and research as professionals have!
So, what should you do to comply with the GDPR:
The new General Data Protection Regulations of European Union is ought to protect citizens from any kind of violations. As described above, the directive is going to turn business upside-down. In order to get compliant with new rules – the organization should set a list of training for employees, define the weak sides where breaches are possible and set up the procedures. Inoxoft is ready to design a software, which will keep your company far from violations.