Personal DataPersonal data is defined by the EU as "any information relating to an identified or identifiable natural person ('data subject'); or in other words, someone who can be identified, directly or indirectly by name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
This includes:
- Name
- Photo
- Email address
- Social media posts
- Bank details
- Medical information
- IP addresses
Clear & Concise PoliciesPrivacy policies are now required to be more clear and concise, leaving no room for misunderstanding for ordinary customers. No longer can convoluted or complex legal writing pass the cut. Terms and conditions must be transparent, coherent, and user-friendly.
ConsentBefore a company can collect, store, and use personal data, they must explicitly receive active consent from their customers. The privacy and protection policy must clearly detail what, when, how and for how long personal data will be collected, stored and used.
Customers have the right to withdraw at any time, for any reason. Companies must respect the right of the customer to have their data removed from any locations it is stored.
Hire a DPOFor entities that have more than 10-15 employees, they require a
Data Protection Office (DPO). The DPO should secure a company's collection, storage and use of private personal data. Regular and systematic monitoring is necessary to ensure everything is up-to-date and in compliance with GDPR.
Assess the data protection impactBefore beginning a project, perform a
Data Protection Impact Assessment to measure the effects of a potential privacy data breach.
Auditing the processes and procedures in place before beginning a project can help prepare and prevent a personal data crisis.
Ensure compliance with laws and regulations and carefully evaluate the risks, effects, protection, and solutions.
Breached? Report it ASAPAccording to the GDPR, a company has
72 hours to report a data breach. This means businesses need to have the proper technology to detect compromises in data security. This regulation is a strict section of GDPR, so changes in policy and training may be required to be compliant and up-to-date.
Non-complianceThe EU is not joking around with GDPR. Failure to comply with its standards will result in a fine of
20 million Euros or 4 percent of a company's global revenue, dependent on whichever is the highest amount. Compliance is mandatory.
If records are not kept properly and orderly, a fine of 2 percent of a company's global revenue can be charged. All fines will be dependent on infringement of regulations, case by case.
Avoid these massive fines by quickly and properly, aligning these new policies, procedures, and workplace with GDPR standards.
Next stepsThe best place to start is to focus on areas of highest risk, such as large-scale processing of sensitive data. Utilize the company's legal counsel and refer to them when questions arise. Start here and move forward.
Simply put, GDPR is all about giving more rights and security to the people of their personal data and holding companies more accountable for their acquirement, storage, and use of data. Taking the next steps and continually evaluating compliance is critical but it will also help businesses build more transparency and trust.
Helpful Resources: