Implementing General Data Protection Regulation in Your Company
GDPR regulation requires businesses to actively protect the personal data and privacy of EU citizens for transactions. Non-compliance could cost companies up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. Here’s what you need to know about GDPR.
Does the GDPR Apply to My Company?
GDPR gives EU citizen’s data a variety of protections. If your organization has personal data of EU citizens, then GDPR applies to you. Even if you think that you don’t need to necessarily become compliant, you are responsible for protecting your user’s data. GDPR guidelines will help outline what is necessary.
GDPR covers any file or database that has a personal information in it. Start by documenting any data store used in your company where personal information could be stored. It doesn’t matter if the hard drive where this data is stored is in the EU or not, if the personal data belongs to an EU citizen then the GDPR applies.
How to Handle Personal Data
GDPR states that you need to keep personal data accurate, up to date, secured, transparent about how it’s going to be used. These guidelines also call to restrict the amount of data collected to the bare minimum needed to do the job.
Review what is being done with any personal data that you have. Document where it came from, get consent to use it when you obtain it, and make a plan to update or fully delete inaccurate data.
You’ll need to tell people what you are going to do with their data. You are not allowed to do anything outside of that. Make sure that everyone in your company understands what can be done and provide a point of contact of any violations are found.
Under GDPR users have the right to request to see the data that you have on them. You’ll need to respond to the request within 30 days, send them their data in a format that is easy to read and edit, and implement any changes they request. They may ask you to stop using their data entirely. You will also need to be able explain why you have their information, who accessed the data (within your company or third-parties), and how long you plan on keeping their data. If people start to abuse these requests, then you can deny the request (within reason) or charge a small fee to do so.
So, you can see how important it is to document this information so you are ready to answer these questions. It is a good idea to implement a fire drill as a best practice. Select one of your customers and pretend that they have made a request to exercise all their rights under GDPR.
GDPR states that you need to prove consent was given for any personal data that you have. So you can’t bury the consent and usage info. Furthermore, this information will need to be specific and use plain language.
Link any data that you have with what has been consented through proper documentation. This will help if you ever need to prove that you have consent for this data. Filters should also be put in place to ensure the user is 16 years old as under GDPR rules children cannot give consent – you’ll need their parent or guardian to give consent.
Some personal data is more sensitive than normal. Race, politics, religion, union status, health data, criminal data, sex life, or sexual orientation are examples of sensitive data. Therefore, this data should not be collected unless required by law. So review the data that is in your possession to ensure that nothing in these categories exists.
Data Protection Officers
GDPR sates that there needs to be a Data Protection Officer to stand as a single point of contact within an organization who can field requests about GDPR related items when the company’s core activities:
consist of data processing operations, which by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
consist of data processing on a large scale of special categories of data.
While the language stating when a DPO is needed is a little fuzzy and has evolved over time, many organizations already have a Chief Information Security Officer. As a result, it is likely that the responsibilities of a DPO will be pushed over to this role. DPOs can do other tasks as long as they don’t have a conflict of interest. The role of a DPO is to advise the company of GDPR compliance on an ongoing basis.
Compensation, Fines, and Penalties
GDPR has much bigger teeth than previous data protection acts. Significant thought has been put into it describing exactly how you and your organization could face stiff fines. The process greatly favors the individual raising a complaint against you. Fines for violations shall be “effective, proportionate, and dissuasive”. As a result, you could be hit with a fine that can add up to millions of dollars. On top of that, individuals and countries can add on additional lawsuits and fines for offenses.
Simply put, do all that you can to be compliant with the GDPR regulations. Any controls that you put into place, documentation, and processes will all help to mitigate your risk. These regulations need to be taken seriously. Efforts in becoming fully GDPR compliant will be rewarded in greater consumer confidence and will make your organization more secure.
About DeCort Interactive
Website performance tuning is our specialty. We harness the true power of your website and collaborate with you to better understand your company and its goals. Our team is a collective of passionate developers with interdisciplinary expertise. Your end product will be optimized to run at the highest level and we don’t stop until you are satisfied.
Contact us today to improve the performance of your website.