Anyone who processes personal data must adhere to GDPR. Data controllers define the reason and method to process the personal data Data processors, on the other hand, are third parties who handles personal data for the benefit of a controller.
The law stipulates that everything companies do has to be considered privacy in the design and any breaches have to be reported as soon as possible. The law allows sanctions of up to four percentage of their annual revenues.
What is the GDPR regulation?
The GDPR is a fresh EU legislation on data protection that came into effect on May 1 is designed to provide customers with greater control over information that companies collect about the data they collect. It also increases the sanctions for violating the law.
The term "personal information" in accordance with the law, is the information that identifies a particular person. This could include names and phone number, as well as email, IP address and other indicators. Additionally, personal data includes information that relates to a person's genetic and biometric characteristics. The law changes require companies to ask for explicit consent from people before using their personal data and explain the terms of the agreement in plain and simple language. The law also allows individuals to revoke their consent at any time. If they choose to withdraw their consent, the company must erase any personal data they hold on its systems. This is also called "the the right of being erased."
The GDPR will apply to enterprises and other organizations within the EU and those operating non-members of the EU who provide products or services for monitoring the actions of, or handle personal data of citizens of the European Union. It puts the onus of compliance on both data controllers (the company that determines what and how it processes personal information) and processors of data (outside entities that assist in managing that data).
Outside entities have to conclude agreements with controllers of data that clarify their responsibilities and define how they are going to comply with GDPR's stringent rules concerning security, processing and reporting of breaches. The entities are required to train their staff on the new guidelines.
Another important aspect of GDPR is the requirement for organizations to maintain records of what they do with personal data. Subjects of data may check to find out if they have been used in a way that is not intended or if an attack took place. This requirement for keeping records helps to prevent misuse of data and strengthens consumers' trust in the processing of their personal data.
GDPR establishes principles such as transparency, fairness and limitation of purpose. This includes "lawfulness, fairness, and proportionality" which means that the reason to collect and keep personal information must be reasonable and justified. Additionally, you should reduce the amount of personal data that you keep and store it for as long as is necessary.
What will the GDPR mean for my business?
The GDPR is applicable to all organizations that collects data on EU citizens, including residents who are not part of the EU. Additionally, the GDPR affects companies that do trade with EU citizens. This law aims to increase transparency and improve the privacy of personal data by requiring organizations to give more detail on how they collect information, utilize it, and secure it. The fines can go as high as twenty million euros, or four percent global revenue if companies don't comply.
The business world must consider an integrative approach to GDPR and weigh each of its consequences. To achieve this you'll have to engage everyone involved, not only the ones working in IT. As an example, forming a GDPR task force with representation from marketing, finance, operations, and sales can ensure that each function is aware of changes that could impact their particular area of business.
When a group has assembled information on the risk profile, it's time to consider what precautions are in place to mitigate those risks. This could include the implementation of encryption, or updating current guidelines for protecting data. This might include creating the latest data management procedures as well as training employees in GDPR's requirements, or establishing an organization structure which allows greater accountability and transparency.
It's also important that businesses inform customers in a clear manner about these new rules. This will make it much easier to adhere to these new rules. It should be succinct that is clear, transparent and easy to find as well as use plain language rather than technical language.
Making sure you are prepared to comply with GDPR is vital for all businesses that gather or uses data on EU citizens. With a proactive plan that businesses are in compliance and avoid costly penalties for not complying.
How do I get myself ready for GDPR?
Step 1: Examine the collection of data, its storage, and processing. Business are required to share details on how their data was are used, stored and collected under the GDPR. It may be necessary to conduct a thorough study of existing practices, procedures and systems.
Furthermore, new rules have to be in place for data to be being collected for the purposes identified and not for other reasons. This will reduce the volume of information you store and manage and can help in avoiding fines imposed by GDPR.
For example, under GDPR if you collect information for the purpose of marketing, your consent forms must be explicit, simple and clear (not hidden inside legal notices) and easy to remove and separate from other conditions and terms. Pre-ticked boxes or treating the silence as consent will not be sufficient anymore. A easy opt-out option must be available.
Also, your privacy statements have to be updated with the legal basis you have to collect the data as well as any additional information requested under the GDPR, such as your retention period and right to complain to the ICO. You should also review all contracts with any third-party company which handle personal data to make sure they comply with GDPR.
Consider also the way your company will ensure the rights of individual for example, their right to access records, update and correct data, to reduce processing and refuse automated decisions(including profiling) and even to decide not to. It's important to determine who will be in charge of these tasks before putting the proper system in places.
The ICO has released a useful checklist to help you with this, which you can download here. If you want more details on the steps to take in preparation for GDPR we suggest you download our 10-Step GDPR Compliance Checklist that covers everything from identifying personal information your company holds to the best way to share it to clients and ensure it's secure stored. In the event that you're in EU or not, this checklist will help you prepare for GDPR. EU or not it is a must to ensure that your company is GDPR compliant.
What should I do to make sure that I am in compliance with GDPR?
It is essential to monitor and constantly assess your respect for GDPR. Ensure that you have the appropriate systems in place that allow data subjects to exercise their expanded rights that include rights to access, right to rectification and the right to erasure (the "right to be lost"). Be sure your policies are clear and well documented. Insure that everyone receives the initial training and refresher courses to ensure they are up-to-date on your guidelines.
Create a section of your privacy statement that clarifies how you'll deal with individuals that wish to exercise their rights to do so, and includes the consent procedure. The best way to stay out of fines is to ensure that you do not adhere to GDPR's regulations. Also, it's a good idea to assign a specific person to be responsible for ensuring compliance within your company. This could be an internal or external professional with knowledge of GDPR compliance who can answer questions from anyone in your company.
Make sure that the companies and companies data protection consultancy you engage to store and process, or even analyze your personal data are GDPR compliant and GDPR compliant. It's crucial to confirm that the processing partner and you both are GDPR-compliant.
Record the personal information you hold, where the data came from and whom you share it with in addition to your security measures. Then, you can show the authorities that oversee your data, GDPR compliance if asked.
Be prepared to address any issues that may occur and react quickly. This helps you prevent potential fines or reputational damages. Companies are looking at making clauses into their employee contracts that require employees to comply with all regulations of the GDPR. Many companies are also introducing incentives and punishments to help encourage conformity, including withholding rewards or other benefits from employees who do not adhere to the regulations. The survey by Veritas Technology revealed that nearly 50% of respondents would likely include GDPR policies in the employee contract of employment.