In 2016, when the GDPR, the EU’s General Data Protection Regulation was voted in, everyone took it lightly, being most likely unclear about its content. Even though the D-day had been announced since then, business owners found other stress sources, as the GDPR was still considered a fuzzy business. Now, we’ve almost run out of time and this new set of regulations has caught up with us. What we need to do ASAP is to get our facts right and come up with an action plan. So, let’s take a short drive through the GDPR and check out the what, the who and a bit about the how of this affair.
Setting the record straight
Let’s start with the essentials. What exactly is this GDPR business?
In 2016, the EU decided to bring several notable changes to the already existing data protection law. Since we are talking about a 22-year-old piece of law, the need for change is obvious, especially because we are constantly bragging about the impressive speed with which technology is advancing. The GDPR tackles with the maneuvering of personal data within the EU space, more specifically, the 28 member nations.
When mentioning personal data in the GDPR context, the specific reference is regarding any piece of information leading to an identified or identifiable natural person. To put simply, GDPR is about people and their right to data privacy. In a technology governed world, GDPR switches roles, giving power over the control buttons to the people, making sure that they know how to use them.
Apart from personal data, which is a key term in this new set of regulations, you also have processing, which is just as important. Processing personal data is a wide notion, but it is intended to be as such. If you do anything with personal data, collection, storage, adaption, transmission, you name it, it is considered processing. Now, do so within the EU space and you are subject to this new set of regulations.
Given the workload implied, the GDPR came bearing fines to make sure that all businesses comply. Just to give you a hint of what kind of fines have been set, a GDPR non-compliance fine can reach the staggering amount of 20 million euro or 4 % of your annual revenue, whichever is greater.
Who are you exactly?
The new data protection rule makes reference to companies selling goods/ services within the EU’s space. However, there are various interpretations that ought to be considered as well. For instance, your company could be subject to GDPR if you are tackling with personal data of EU citizens for marketing purposes. You might be quick to object mentioning that your company is based outside the EU space. Don’t be quick to celebrate, because the problem is still there. If you are processing data of EU citizens for whatever reason, you are in fact subject to GDPR.
Putting the GDPR in the current context three groups were brought to life.
- Data subject: an identifiable person
- Data controller: a natural or legal person, a public authority, organization or agency that determines the purpose of the data collected
- Data processor: a natural or legal person, a public authority, organization or agency that processes data on behalf of the controller
Clearly, each of the categories listed above has different rights/obligations. Data processors and collectors have more or less the same obligations, their interaction being governed by a contract, in which the processor must clearly specify the nature, duration and purpose of data processing.
On the other hand, by means of the GDPR, data subjects have gained several rights among which one can mention the right to be asked for consent, the right to be forgotten, the right to access data or the right to receive breach notifications.
So, what’s next?
Unfortunately, things don’t stop at choosing sides and deciding where your business best fits in. The biggest challenge of all is not reading and understanding GDPR, although we are talking about 88 pages of hardcore judicial text. The biggest challenge of all is becoming compliant before the 25th May, 2018. Here are several points you might want to study thoroughly:
- Get them on board: You need to start rethinking the idea of consent, because from now on, the power is in the client’s hands. In the GDPR, no data related action can be made in the absence of an obtained, clear, straightforward consent, which can be proved at any time.
- Funny you should ask: Because data subjects now have the right to ask for data portability, companies need to be able to comply with requests of this kind. You will need to develop a system to port data from one safe environment to another without experiencing complications.
- It’s all on you this time: Handling personal data has turned into a delicate matter, very similar to the way in which we would treat sensitive data. Consent over personal data is in itself a prized possession, so a stricter documentation, including thoroughly made data records, must be set in place.
- S.O.S. Breach Alert: In case of a data breach that is recognized as a risk for data subjects, potentially affecting their freedoms and rights, companies are obligated to notify individuals, as well as entitled authorities. Thus, a plan in this regard is required.
Since the world still needs GDPR related info, know that a HOW TO checklist of all the GDPR steps that need to be taken under consideration is in the making as we speak and will be posted. So, stay tuned and start doing your homework on GDPR.
Disclaimer: Please bear in mind that this article should not be treated as legal advice in complying with the GDPR. The sole purpose of this article is to facilitate a better understanding of the approved EU data privacy law.
If you are in need of legal advice on the matter, we urge you to seek the assistance of an attorney, who can apply the GDPR to the specific needs of your company.