An overview on General Data Protection Regulation (GDPR)
If you conduct business in the European Union (EU), the General Data Protection Regulation is something you should be familiar with – or becoming familiar with. GDPR will lay out guidelines for how businesses and public entities hold and process personal identifying data of EU citizens, whether inside or outside EU borders.
You may be asking if GDPR applies to you. If your business has the means to access personal data and any of the following apply to your business, keep reading:
- Your business has a presence in an EU country
- Your business isn’t physically present in the EU, but processes personal data of EU residents
- Your business has more than 250 employees
- Your business has less than 250 employees, but its data processing impacts the rights and freedoms of data subjects or includes certain kinds of personal and sensitive data
Now, let’s take a closer look at the who, what, when and how of the GDPR.
Who are the stakeholders for GDPR?
There are four key GDPR stakeholders you should get to know:
Private citizens whose personal data is processed by a controller or processor
Legal person, public authority, agency or another body responsible for implementing appropriate measures to make sure data processing is legal and compliant
Reports to the controller and follows instructions regarding which data to process
Data protection officer
An expert on GDPR privacy who works independently to ensure that a business is adhering to the GDPR’s policies and procedures
What data does GDPR protect?
If you hold or process personal data of EU citizens, there are GDPR requirements to ensure your business protects their personal data and privacy. The business advantage of having the regulation in place is significant: You’ll have a clear legal environment to conduct business. And making data protection law identical throughout the EU market should improve trust in the digital economy.
So, what is personal data exactly? The GDPR’s definition of personal data is, “Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.”
Let’s take a closer look at some of the GDPR nuances
The data subject must perform an affirmative action – like clicking in a box or selecting certain settings, for example – to give consent for their personal data to be processed. The controller should keep a record of that consent.
Right to assistance
Data subjects can ask for clarification from the controller regarding their rights related to the processing of their personal data
Your business will now be required to provide in-depth information on the processing of data, including:
- Controller’s contact information
- Reason for processing
- Proof of its lawfulness
- Period of processing
- Possibility of withdrawing consent
- Possibility of complaining to a supervisory authority
- Indication of whether the processing is part of profiling the data subject
The right to be forgotten
Data subjects have the right to have their information deleted. If requested, controllers are obligated to delete their personal data and make sure other parties processing the data do the same.
This is about the data subject’s right to have their information handed over by the controller. The data should be in a structured, machine-readable format. This gives data subjects an easy overview of their information and the ability to transfer it to another service provider, if desired.
The right not to be profiled
This ensures that data subjects are not profiled for actions like e-recruiting or credit ratings. But with their consent, profiling is permitted for marketing purposes and other reasons.
GDPR fines aren’t insignificant. For example, noncompliance with controller or processor duties can result in a penalty of 2 percent of the company’s global annual turnover or €10 million, whichever is highest. There’s also a penalty of 4 percent of the global annual turnover or €20 million for noncompliance with the principles, the rights of the data subjects and data transfers to countries outside of the EU without legal basis or failure to comply with orders from the supervisory authority.
When does GDPR go into effect?
It goes into effect on May 25, 2018. By that time, your business will need to be up to date. Keep in mind, there’s no grace period. If you’re not GDPR-ready, now’s the time to get the ball rolling.
Contact LogPoint to find out how we can make your business more GDPR-ready.
How do you get on the right track with GDPR?
The GDPR may seem daunting, so it may be helpful to break it down into smaller components. This compliance checklist should help get you on the right track:
Is your business subject to the GDPR?
- Which categories of personal data does your business wish to process?
- Does your business play the role of a controller or processor?
- Does your business have a legal basis to process personal data?
Does the processing have a legitimate purpose?
- Can your business handle information in a less intrusive way and still achieve the same goal?
- Is your business able to account for and have the proper documentation and proof of lawfully processing personal data?