Every person who processes personal data has to be in compliance with the GDPR. Data controllers are those who decide on the reasons and methods to process the personal data, while data processors are the third-party that process personal information for the benefit of a controller.
According to the law, each business has to plan its operations with privacy in mind. All violations have to be reported within 72 hours. There are also sanctions up to 4% of annual turnover.
What exactly is GDPR?
A new data protection law in force in the EU GDPR's goal is to empower consumers by giving them more control over personal data companies gather. GDPR also imposes higher sanctions for violating the law.
It defines "personal data" as anything that can be used to identify a person that includes name, email name, addresses for IP and phone numbers. This includes information about a person’s biometric and genetic traits. The law changes require companies to ask for an explicit agreement from individuals before collecting personal information about them and clarify the terms of that agreement in plain and simple language. Individuals are also able to withdraw their consent at any time. In the event of withdrawal, companies will have to destroy all their personal information. This can be known as the "right to be erased."
The GDPR applies to both enterprises and other organizations within the EU and those operating that are outside the EU who provide products or services to, monitor the conduct of or handle personal data of citizens of that European Union. The burden of compliance on the data controllers (the organization that decides why and how it processes personal data) and processors of data (outside parties that help manage that data).
Outside entities have to conclude agreements with controllers of data to clarify their roles and spell out how they will be in compliance with the strict GDPR rules in relation to security, processing and reporting on breaches. The entities are required to train their staff on the new guidelines.
A key feature of GDPR is the requirement to ensure that businesses keep track of the use of personal information. The data subjects are able to check their records to determine if their data is being misused or if a hack is taking place. This is a way to increase trust in consumers and helps to prevent the misuse of data.
GDPR establishes principles such as transparency, fairness and limitations of purpose. In addition, the GDPR lays down the rules in the areas of "lawfulness", "fairness" and "proportionality" in which you are required to collect and keep your personal information to serve a legitimate and appropriate reason. You must also limit the amount of data that you keep and store it for as long as needed.
How can GDPR impact my company?
It applies to any organisation who collects data regarding EU citizens, even people who reside outside the EU. Additionally, it applies to companies that conduct business together with EU citizens. This law aims to increase transparency as well as improve the security of data that is personal by forcing businesses to disclose more details on the methods they collect information, utilize it, and secure it. The penalties could up to 20 million euros or four percent global revenue if companies fail to comply with.
The business world must consider an integrative approach to GDPR and take into consideration all of its implications. For this you'll have to engage all stakeholders, not just people working in IT. The creation of a GDPR Task Force comprised of representatives from Marketing Finance, Operations, and Sales will ensure that every department is kept informed of any the changes that could affect your business.
When a team has collected details about the risk profile for an organisation It is now time to identify the mitigation steps necessary. For instance, it could mean implementing encryption, or updating current data protection policies. It could also include the implementation of new processes for managing data and training employees on GDPR requirements or creating an organization structure that permits greater transparency and accountability.
It is also crucial for companies to clearly communicate with their customers on new rules. This can help build trust and loyalty, and make it easier for them to comply with the requirements. The disclosure should be clear, transparent, intelligible and accessible to the public It should be written in the language of plain speech, not technical jargon.
Making preparations for GDPR is imperative for any business that collects or uses data on EU citizens. Businesses are able to avoid costly fines by taking proactive actions to make sure they are in line with GDPR.
How can I make myself more prepared for GDPR?
First step: Study data collection, storage and processing. Business are required to share details on how their data was are used, stored and collected by the GDPR. It may be necessary to review existing procedures, policies and systems.
Additionally, new regulations have to be in place to make sure that data is collected only for the purpose identified and not to serve any other purposes. This can reduce the amount of information you store and manage and can help to avoid penalties under GDPR.
As an example, in GDPR, if your company collects details for purposes of marketing, your consent forms must be precise, concise and clear (not covered inside legal notices) simple to pull out and separate from different terms and conditions. Silence or pre-ticked consent boxes will no longer be sufficient. An easy opt-out form is mandatory.
Also, you need to amend your privacy statements so that they reflect the legal grounds for collecting information and any other details required by GDPR. Like, for example, the retention period and your right to file an inquiry with the ICO. It is also recommended to review any contracts with any third-party company who handle your personal information in order to determine if they're compliant to GDPR.
It is also important to consider how your business will enforce the rights of individuals for example, their right for access to their personal records, update and correct data, to reduce processing and refuse the use of automated systems, which includes profiling and the right to be forgotten. It's important to establish who is responsible for this task and put in place the system that is required.
The ICO has released a useful checklist to help you with this which is available here. If you want more details on how you can prepare for GDPR, we recommend that you download our GDPR 10 Step Compliance checklist that covers everything from identifying the personal data that your business has to the best way to share it to customers and how to make sure it's securely handled. Whether you have a presence within the EU or not, this checklist will ensure that your business is fully GDPR-compliant.
What can I do to ensure that I am in compliance with GDPR?
It is essential to monitor and continuously assess the extent to which you are in compliance with GDPR. Make sure you've got adequate systems in place which allow the subjects of data to exercise their rights that are expanded which include the right of access, the right to rectify and erasure (the "right to be not forgotten"). Your procedures should be well-documented and clear. Every employee should undergo training in both refresher and initial training.
Include a paragraph in the privacy statement of your site that details how you'll deal with individuals that wish to exercise their rights to opt out, as well as an authorization process. It will allow you to save yourself from fines for non-compliance with GDPR rules. It's also a good idea to assign a specific person responsible for compliance within the company. It could be an internal or external expert who has knowledge about GDPR compliance. This person can be contacted by any person inside your business.
Check that all companies or solutions you employ to store as well as process and analyze personal information are GDPR compliant also. It's crucial because GDPR holds both GDPR solutions your company as well as any processor partners accountable for non-compliance or breaches, therefore you must make certain that they're taking the exact same precautions as you are to protect personal information.
Keep track of your personal data in particular, where they come from, who has access to them and what you do to mitigate risks. This allows you to prove your compliance with GDPR to any supervisory authority if they are asked.
Be prepared to address all issues that might develop and be able to respond swiftly. This will help you avoid penalties or reputational harm. Many companies are considering having compliance made mandatory through the addition of the clause in employee contracts which stipulates that employees to comply with the regulations of the GDPR. Many companies are also introducing rewards and sanctions to promote conformity, including withholding rewards or other benefits from employees who do not adhere to the regulations. An investigation conducted by Veritas Technology showed that more than 50% of respondents are likely to include GDPR-related policies in employee contracts.