Final Call - Eight Steps to Ensure that Your Data Protection Measures are in Place
When the EU General Data Protection Regulation (GDPR) comes into effect in May 2018, the definition of “privacy data” will be significantly widened.
Get Compliant in Time
The core concept of the EU GDPR is the protection of privacy data - any type of data, which can be used to identify a specific person. So, if you wish to collect, store, or process privacy data in any way, you must do so in accordance with the regulation.
Organizations that have not done so already, have to start thinking in very pragmatic terms about what impact the GDPR will have on employees, processes, and technologies, and which measures to take to diminish business risk and get compliant in time.
Stringent documentation requirements
The EU GDPR is particularly restrictive when it comes to compliance with the new set of regulations, and non-compliance is subject to severe fines. To be compliant, businesses must be able to document who has access to personal data at any given time, and they must be able to document the processes and technologies for both internal and external processing of such data.
As a Data Controller, a business using privacy data is required to document agreements with third party Data Processors. In cases where a subcontractor uses services from other third party suppliers, the business itself, in its capacity of controlling data, will be responsible for ensuring compliance with the EU GDPR throughout the entire supply chain.
No complete list available
Besides the obvious types of privacy data - name, photo, email address, the GDPR includes a wide range of privacy data like ID numbers, location data, bank data, social media posts, health information and IP addresses.
Furthermore, the EU GDPR includes a special category of particularly sensitive data. This includes, crime registry data, fines, biometric, and genetic data. Personal profiling data, as known from social media or targeted internet advertising based on cookies, is also included and considered sensitive data.
However, there is no exhaustive list of what is considered privacy data according to the EU GDPR, so if in doubt, it is highly recommended to seek professional advice.
Requirements of active consent
One of the most important aspects of the EU GDPR is the requirements for explicit consent from the person granting access to his or her data. Businesses must ensure that the consent is active, meaning that the person actively indicate what his or her data may be used for.
For the businesses, this implies an obligation to specifically inform individuals what their data will be used for. Also, the person giving consent must be able to withdraw consent at any time.
Nevertheless, there are some exceptions to this principle. This could be data transmitted to public or tax authorities, which individuals are obliged to provide. In any case, it is advisable to seek legal advice to clarify if any exceptions apply for your business.
The EU GDPR will also implement the “right to be forgotten” principle. This means that a person can demand that data concerning him or her be erased or returned. If a business has transmitted the information to a third party, the business (Data Controller) must communicate the request for erasure to any party the data has been transmitted to. This means that businesses must be very well prepared and able to document the presence of privacy data as well as the processing of this data.
The EU GDPR entitles citizens to have their data transferred between service providers. This could, for instance, be the case, if a person wishes to change his or her pension or tele-communications provider.
Tight restrictions for data profiling
The regulation imposes tight restrictions for automated processing of personal data for profiling.
As a general rule, the business is not allowed to base a decision concerning a customer solely on automated processing of the person’s registered data. The data controller must have the person’s consent to make use of data regarding, for example, private finances, health, personal preferences, travel patterns or data related to employment conditions or recruitment.
Eight steps to ensure continuous compliance
As described, the EU GDPR severely challenges businesses as to their knowledge of which type of data is being collected and stored, just as they must control and be fully aware of where and how privacy data is stored and processed.
Establishing a complete data overview is no trivial task. In many businesses, it will have a profound impact on employees, working processes, and the technologies the businesses use for processing of privacy data. So, to be compliant in time it is important that you act now.
At Omada, we help businesses establish an overview of the privacy data the business is storing, determining who is responsible for the data, which processes must be in place, and which technologies can keep the business in control of the data and secure compliance with the EU GPDR.
Omada has developed an EU GDPR Compliance’ guide which delivers a pragmatic approach to help businesses ensure they comply with all elements of the new regulation. This guide contains eight steps, which we believe you must complete to ensure that your business adheres to the new requirements and remains compliant going forward.