GDPR is here…. Are you ready?
What is GDPR?
More radical changes are introduced in the business sphere in a few days as from the 25th of May 2018 with the adoption of the General Data Protection Regulation (EU) 2016/679 (“GDPR”)
Does GDPR affect you and your business?
Are you ready to comply with GDPR?
The purpose of the new regulations is to strengthen and unify data protection for all individuals within the European Union while giving them better control over their personal data, increasing at the same time the security of the information stored and processed by organizations aiming to protect European citizens from privacy and data breaches.
Its implementation is mandatory for all EU members and significantly changes the procedures and policies of organizations with respect to the management and use of personal data. Non compliance is punishable with heavy administration fines upto 4% of the worldwide annual turnover with maximum €20 million!!!
Where it applies?
GDPR applies to all companies which collect, store and/ or process personal data of European citizens regardless of whether their operations take place in the European Union or not.
Does it apply to your business?
It applies to any business which in the course of its business:
– Collects and stores employees’ or suppliers’ or customers’ personal data.
– Transfers above data to other entities like associates/ agents or sells the data.
– Operates a website through which it collects personal data for marketing and communication
– Process and uses personal data for marketing and communication purposes
Key features introduced
- Data Governance and Accountability
Data Controllers and Processors are accountable for data protection. Companies must be able to demonstrate that they effected Privacy Impact Assessments to evaluate their procedures and maintenance with respect to the safety of Data Protection and took required measures to comply with GDPR.
- Data Protection by design
Controllers must implement appropriate technical and organizational measures and procedures to ensure that processing safeguards the rights of the data subject by design ie:
- By minimizing data collected
- By not retaining the data beyond its original purpose
- By giving the data subject access and ownership of the data
- By adopting staff policies as the use of pseudonymisation and encryption to enhance security of data
- Appoint Data Protection Officer (DPO) or if its appointment is not mandatory to designate a person responsible for data Protection Compliance. The DPO assumes the task of advising, monitoring internal compliance procedures and cooperate with supervisory authority
4. Right to be forgotten is the right of consumers to request controllers to erase their data without undue delay
The companies are obliged to request the consent from clients to use personal data. Consent is not required if the data is received when there’s contractual obligation (e.g. there’s a contract between the partners) or Legal obligation (e.g. AML legislation) or it is to the vital interest of the data subject or it is to the interest of the public.
- Breach notification
Organizations must advise the supervisory authority within 72 hours when data breach occurs.
Measures required in order to comply with GDPR: The action plan
- Seek professional advice
- Appoint a Data Protection Officer or if not required, designate at least a person responsible for data protection compliance
- Increase awareness of management and employees of the implications of GDPR.
- Carry out a privacy impact assessment to evaluate the nature of the data processing operations within your organization in order to identify steps to be taken within respect to the procedures followed in processing storage and use of personal data, ie:
- Check where and how personal data is kept and used and amend your procedures accordingly
- Increase security of your systems
- Delete excessive personal data or data for which the period of use has expired
- Identify the lawful basis for processing personal data and documents
- Obtain consent for collecting and managing personal data.
- Document the personal data the business holds, how it is collected and with whom it is sheared and where and how it is stored.
- Review GDPR’s provisions on consent
- Establish a Data Breach Process
- Monitor operations on a continuous basis to comply with GDPR and keep employees updated
We are ready to assist you in designing and implementing the required action plan to comply with GDPR connected with training of your personnel, carrying out Privacy Impact assessments amending your procedures to comply providing you with the legal support for the preparation of privacy policies, notifications and consents, strengthening the security of your systems with respect to personal data and by offering DPO services.