GDPR: Are You Ready For The Changes?

GDPR was adopted two years ago, but it is only on 25 May 2018 that it – and the related fines – came into effect. If you feel like you are the only one not to have heard about it, don’t worry – while large corporations have done much to prepare for the change so far, there are millions of other entrepreneurs like you who feel ignorant of any “revolution in data protection” coming.

VAfromEurope has set out to explain to our clients the basics of GDPR, answering the most common questions they might have:

What is GDPR?

GDPR stands for General Data Protection Regulation, which was adopted by the European Union and came into effect on 25 May 2018. Starting with this date, failure to adhere to GDPR will cost businesses up to €20 million or 4% of the annual revenue.

Who does GDPR relate to?

GDPR relates to all companies that are established in the EU and those that are outside of the EU, but have EU employees, monitor the behavior of EU data subjects, market products to EU citizens, or use EU citizens’ data for their own products (e.g., IT companies).

What is considered “personal data”?

Personal data comprises the person’s name, email, address, phone, IP address, as well as their religion, sexual orientation, or personal opinion. Companies possess personal data of their employees, partners, and clients, and should take care to ensure data security for all these subjects.

What are the most important changes we should know about?

• A valid reason for data processing

You should choose and document a lawful basis for each data processing activity you perform. GDPR allows choosing between six lawful bases: consent, contract, legal obligations, vital interests, public task, and legitimate interests. Mind that lawful bases apply only in cases when the collection of personal data is necessary. If the data cannot be considered necessary for or relevant to the purpose of the activity, it should not be collected or stored.

• Consent

GDPR has established stringent regulations regarding receiving, recording, and managing consent, which is one of the most common lawful bases for processing data of clients. In particular, GDPR demands to obtain explicit consent from all subjects, inform them of the organization controlling and/or processing their data, explain the purpose of collecting consent and the ability to withdraw it in clear and plain language, and keep a record of how the consent was received. In addition, you should make sure you don’t make consent a precondition for a service and do not penalize subjects for withdrawing consent.

• Personal privacy rights

GDPR has brought some important changes to personal privacy rights. In particular, subjects should now be able to access, copy, and transfer their personal data, as well as object to its use for a particular purpose. Subjects have also received a right to erasure of personal data, also known as “a right to be forgotten”.

Should we do anything if we do not do anything wrong with the data?

Yes, you should. GDPR requires not only to comply with the new rules but also to maintain accurate documentation of data processing and the related policies and procedures (e.g., procedures in case of a data breach), which would demonstrate compliance. In addition, you should appoint a Data Protection Officer or a data protection specialist and sign GDPR-compliant contracts with all processors or other subcontractors given access to the data you hold. You should also be ready to show you have conducted an internal audit and staff training on the new rules. What is more, if you have not used data encryption, you should start implementing it to adhere to the security by design requirement.

Should we do anything with the database we already have?

Yes, you should. You need to make sure your legacy data was obtained in a way that is compliant with current GDPR rules. If you do not have documentation on how data was received or the process of obtaining consent contradicts current rules, you should inform the subjects of the information you hold and the reason for its processing, giving them the right to object or ask subjects to positively opt-in again.

Conclusion

Revising long-standing policies and practices may take up a lot of your time, but this is something you cannot escape – fines amounting to €20 million or 4% of the annual revenue sounds like a strong argument, doesn’t it? Still, our virtual assistants may free you from a wealth of other responsibilities, so that you concentrate on what is urgent and important, GDPR compliance in particular.