GDPR was adopted two years ago, but it is only on 25 May 2018 that it – and the related fines – come into effect. If you feel like you are the only one not to have heard about it, don’t worry – while large corporations have done much to prepare to the change so far, there are millions of other entrepreneurs like you who feel ignorant of any “revolution in data protection” coming.
VAfromEurope has set out to explain to our clients the basics of GDPR answering the most common questions they might have:
What is GDPR?
GDPR stands for General Data Protection Regulation, which was adopted by the European Union and comes into effect on 25 May 2018. Starting with this date, failure to adhere to GDPR will cost businesses up to €20 million or 4% of the annual revenue.
Who does GDPR relate to?
GDPR relates to all companies that are established in the EU and those who are outside of EU, but have EU employees, monitor behavior of EU data subjects, market products to EU citizens or use EU citizen’s data for their own products (e.g. IT companies).
What is considered “personal data”?
Personal data comprises the persons’ name, email, address, phone, IP address, as well as their religion, sexual orientation or personal opinion. Companies possess personal data of their employees, partners and clients and should take care to assure data security for all these subjects.
What are the most important changes we should know about?
- A valid reason for data processing
You should choose and document a lawful basis for each data processing activity you perform. GDPR allows choosing between six lawful bases: consent, contract, legal obligations, vital interests, public task, and legitimate interests. Mind that lawful bases apply only in cases when the collection of personal data is necessary. If the data cannot be considered necessary for or relevant to the purpose of the activity, it should not be collected or stored.
GDPR has established stringent regulations regarding receiving, recording and managing consent, which is one of the most common lawful bases for processing data of clients. In particular, GDPR demands to obtain explicit consent from all subjects, inform them of the organization controlling and/or processing their data, explain the purpose of collecting consent and the ability to withdraw it in a clear and plain language, and keep the record of how the consent was received. In addition, you should make sure you don’t make a consent a precondition for a service and do not penalize subjects for withdrawing consent.
- Personal privacy rights
GDPR has brought some important changes to the personal privacy rights. In particular, subjects should now be able to access, copy and transfer their personal data, as well as object to its use for a particular purpose. Subjects have also received a right to erasure of personal data, also known as “a right to be forgotten”.
Should we do anything if we do not do anything wrong with the data?
Yes, you should. GDPR requires not only to comply with the new rules but also to maintain accurate documentation of data processing and the related policies and procedures (e.g. procedures in case of a data breach), which would demonstrate compliance. In addition, you should appoint a Data Protection Officer or a data protection specialist and sign GDPR-compliant contracts with all processors or other subcontractors given access to the data you hold. You should also be ready to show you have conducted a internal audit and staff training on the new rules. What is more, if you have not used data encryption, should start implementing it to adhere to the security by design requirement.
Should we do anything with a database we already have?
Yes, you should. You need to make sure your legacy data was obtained in the way, which is compliant with current GDPR rules. If you do not have a documentation on how data was received or the process of obtaining consent contradicts current rules, you should inform the subjects of the information you hold and a reason for its processing giving them right to object or ask subjects to positively opt-in again.
Revising long-standing policies and practices may take up a lot of your time, but this is something you cannot escape – fines amounting to €20 million or 4% of the annual revenue sounds like a strong argument, doesn’t it? Still, our virtual assistants may free you from a wealth of other responsibilities, so that you concentrate on what is urgent and important, GDPR compliance in particular.