Several months have passed since the General Data Protection Regulation (GDPR) has been implemented and you probably already know what it is. But, how is your company doing regarding it? What does the GDPR really represent?
GDPR redefines how data should be collected, stored and shared across every sector, from healthcare to banking and beyond, protecting your privacy in a world of expressive technology development. GDPR harmonized the rules for the protection of personal data within the EU. Thanks to it, personal data in all EU countries is processed under the same conditions and the Regulation applies not only to entities based in the EU but also to non-EU data controllers, such as Google or Facebook
But, what do you REALLY need to know about the GDPR? Here is our practical guide with 5 key essential points:
1. What is personal data?
The question might seem trivial, but are you sure you know the answer? It is obvious that the first and last names are personal data – no doubt. But do you know that an email address may be personal data as well, or IP number, or even a photo? Did you consider that a company fan page on Facebook may involve data processing? Or that the processing of data occurs if you profile users of a website?
GDPR defines personal data very broadly – as “any information relating to an identified or identifiable natural person (“data subject”)”. That means that the person “can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or one or more specific factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of a natural person”.
2. Who is the regulation applicable to and what does “processing” mean?
The answer is simple – anyone who processes personal data of European Union citizens for purposes other than purely personal or domestic should comply with the GDPR.
‘Processing’ means “any operation or set of operations which is performed on personal data or on sets of personal data”. It covers collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. There is no difference whether or not it is done by automated means. You can write it down on a piece of paper or use computer, mobile, CD and cloud infrastructure.
This means that the data processors are, among others, public entities (e.g. offices, universities, schools, hospitals), entrepreneurs (and the legal form is not important here), foundations, associations, etc. Whether you should be interested in the GDPR determines whether you process personal data or not (see point 2 if you think that it certainly does not concern you). But as a citizen – you might also be interested.
It does not matter whether you have your headquarters in New York, Toronto, Sydney, Tel Aviv, Tokyo, Delhi or on the Bora Bora Islands. If you are processing data of EU citizens ( for example, you run an online store and send your goods to the EU), you are bound by the provisions of the GDPR. This does not apply if you do it for your own personal purposes – for example, if you enter your neighbor’s number into your phone, send holiday cards, use a private account on a social network, or send emails to friends.
3. Who is the personal data controller?
It is worth knowing who is your data controller as it helps to define your role in the whole process. Simply said – the data controller is each entity that determines what data, why and how will be processed. So if you run an online store, fitness club, kindergarden, medical practice, law firm, beauty salon, provide accountancy services or simply have at least one employee you might be 99% sure that you are the controller of your employees’ and clients’ data and you should follow GDPR rules
4. How to introduce the GDPR?
Here the answer is not simple. But for many entrepreneurs, in particular, startups it is rather optimistic. Why?
Well, you need to know that the GDPR has introduced a significant change in the approach to personal data protection (at least in most EU countries) by introducing a risk-based approach and the need for risk analysis. Namely, someone gave it a second thought and considered that a large telecom that processes millions of customers and SMEs that employ several employees and processes few data should not be treated the same way.
A risk-based approach means that the applicable safeguards and data protection procedures should be adapted to the risks associated with the processing of personal data at a given controller. Each data controller must carry out the analysis of processing processes and related risks for data security on their own. Various controllers may suffer from different risks, and the measures applied should be adequate in relation to the existing threats (and resources).
Data controllers, on the other hand, must independently assess whether their data processing processes, IT systems in which data are processed, their suppliers or companies cooperating with them guarantee data security.
5. The data subjects’ rights
Data subjects – a person whose data is processed. Each person whose data is processed has a number of rights related to the processing of those data. And which data controller must respect and implement. It is worth observing this obligation because most of the penalties imposed so far for violation of the GDPR have their source in the complaint of a dissatisfied data subject.
So what rights does the “data subject” have?
First of all – the right to access data – it means that everyone has the right to ask the data controller what data the data controller processes and he/she has to provide a full explanation within a maximum of 30 days. The process of asking a question should be as easy as possible and can not involve a fee, (unless a “subject” asks you repetitively the same information and/or the request is overly burdensome).
Secondly – the right to rectify/supplement data – that is, if the data subject determines that its data are untrue, incorrect or incomplete, it may request their correction or completion, and the data controller should do so.
Thirdly – everyone has the right to limit the processing – ie, for example, a subject can limit the scope of the data that is being processed (e.g. deletion of part of data, withdrawal from receiving notifications, etc.),
Fourth, fifth, sixth and seventh – everyone has the right to transfer data, object to data processing, the right not to be subject to profile and the right to withdraw consent at any time,
And finally – the right of deletion (the right to request the deletion of all data, and thus the famous right to be forgotten). It means that on demand of the data subject, the data controller should delete it. This request does not have to take any special form.
It is important to point that the rights are not absolute (i.e. there are some exceptions) and the Regulation determines specific situations in which the law must be implemented.
Written by: Krystyna Lisiecka-Stasiak, FundingBox