These past few weeks, we heard a lot about GDPR. This EU law has been enforced on the 25th of May 2018 but what does it mean exactly for you and your business, and what would be the risks if you fail to comply with it?
According to the EU GDPR Portal, The General Data Protection Regulation replaces the Data Protection Directive 95/46/EC and its goal is to coordinate the different EU laws concerning data privacy. You are affected if your business is EU based, or if it handles personal data from European users.
This personal data includes any information that can be linked to an individual such as his name, address and phone number, location, health records, income and banking information, cultural preferences…
But how will GDPR affect your business exactly? Here is what is going to change according to the European Commission's website:
- You will need a clear affirmative consent from a user before you can use his data.
- You need to use clear and straightforward language when stating your privacy policies. You need to state: who you are, why you are processing the data, what the legal basis is, who will receive the data, contact information of the DPO, legitimate interest, how long the data will be stored, the individual's data protection rights, how consent can be withdrawn, whether there is statutory of contractual obligation to provide the data.
- It will increase transparency on the use of data which means that you will need to inform the user about any transfer of its data outside of the EU. You can only collect data for a well-defined purpose and will need to inform the user about any new purpose. You will need to notify the user if the decision made about him using his data is automated, and he should be able to contest it.
- It will put more control in the hands of users regarding the way their data is used: you need to notify them if there has been a data breach, the user should be able to move his data and have access to a copy of the data a business had on him, and users should have a "right to be forgotten".
- Enforcement will be stronger, as the 28 data protection authorities will be grouped in one organisation, the European Data Protection Board which will be more powerful regarding decisions and fines. Non-compliance can lead to a warning, a reprimand, suspension of data processing, or up to 20 million EUR or 4% of your worldwide turnover in fines for certain breaches.
If you want to make sure to comply with these new rules, here are the steps that the European Commission advises you to follow:
- Notify your customers, employees or any other user when your collect their personal data and state the purpose for which it will be used. You should always be able to inform a user when they request the data you hold on them.
- Don't keep any personal data when it is no longer necessary. You should delete data on your employees and customers when the employment relationship and related legal obligations end.
- Make sur the data you process is safely stored. When stored on an IT system, its access should be limited and the security settings regularly updated. If you handle physical documents, they should be stored in a locked place and accessible to only a few authorised persons.
- Keep a trace on your data processing activities in a document explaining what data you hold and for what reason. You could be required to show this document to your national data protection authority and it should include:
-The purpose of the data processing
-The type of personal data you hold
-The data subjects
-The recipients
-The storage period
-The security measures taken to protect the personal data
-Whether the data is transferred outside the EU - If you work with another company to process personal data, make sure they also abide to the GDPR.
- If personal data processing is a core part of your business, you need to appoint a Data Protection Officer who can be an existing employee or an external consultant.
You need to carry out a Data Protection Assessment if your business does a large-scale monitoring of a publicly accessible area, or if automated processing is used to evaluate individuals, or if you process sensitive data on a large scale. This is not necessary if you are a small business processing employees' wages and clients' lists.
If you handle personal data that is considered sensitive (such as information on an individual's health or political beliefs) it must be treated with extra care and under specific conditions.
Great Online Reputation can advise you on how to be GDPR compliant with all your online resources.