The EU General Data Protection Regulation (GDPR) takes effect on 25th May 2018, so there is not much time left to take the appropriate steps to achieve GDPR compliance and review what you still need to do.
Does the GDPR apply to me?
The Regulation is huge in scope, unifying data protection laws across the EU. Its scale has led to many companies presuming that it only applies to companies that process large volumes of personal data. However, depending on a handful of factors, no matter what size a company is, it may be subject to the Regulation’s requirements. Here are a handful of questions to determine whether you need to pay attention to the GDPR:
1. Do you process EU residents’ personal data?
If you do, then the GDPR probably applies to you.
It doesn’t matter whether you are based in an EU state or not – if your company processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
2. Are you engaged in economic activity?
The one caveat to that that the GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. You must be careful not to mistake business conducted from home for household activity.
3. Does your organisation have fewer than 250 employees?
The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.
The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
Fix it Fast! Apply GDPR to Your Company in 10 Simple Steps is a plain-language guide to implementing the European General Data Protection Regulation’s requirements to your organization. This isn’t a legal book, it’s a roadmap to compliance. Fix it Fast will help you to implement the key requirements of GDPR. It contains templates, outlines, examples and plain-English explanations to help you: • Complete your data inventory • Start and finish your data map • Draft and institute a Privacy Impact Assessment process • Plan how you’ll deal with a Data Breach • Implement Data Privacy Policies and Privacy Notifications • And much more This book’s 10 Simple Steps will take you from beginning to end of your GDPR readiness and implementation project.
So, does the GDPR apply to you?
If you’ve now realised that the GDPR applies to your organisation, you should find out what your obligations are and how you can achieve compliance. You can do this based on the Data Protection Commissioner’s (DPC) compliance checklist, which is summarised below and outlines what organisations need to do before the 25 May 2018 deadline.
1. Learn about what’s coming
If you’re reading this, you’re probably familiar with the GDPR. But according to our GDPR Report, published in July 2017, only 66% of senior management have been briefed on the Regulation.
Senior management will have a big say on how their organisation prepares for the Regulation, so it’s paramount that they know what’s coming, what they need to do and the risks of failing to comply. Everyone else in the organisation responsible for regulatory compliance and data processing will also need to understand their obligations.
2. Become accountable
The Regulation includes provisions that promote accountability, so the DPC advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis might you do so?
3. Review personal privacy rights
Data subjects have a number of rights pertaining to the way organisations collect and hold their data. These include:
- The right to be informed
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to access
Most of these rights are similar to those in current data protection laws, but there are some significant changes. It’s important to familiarise yourself with those changes and plan accordingly.
4. Communicate with staff and service users
You’re not the only one who needs to know about data subjects’ rights. When collecting personal data from staff, clients or service users, you need to inform them of their rights.
5. Learn about legal grounds
Organisations need to prove that they have a legal ground to process data. Most organisations currently use consent by default, but the GDPR toughens the rules for getting and keeping consent.
There are five other lawful grounds for processing data:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately.
6. Change your consent requests
There will be times when consent is the most appropriate lawful ground, so you need to know how it must be sought. The GDPR lists specific requirements for lawful consent requests.
7. Research child consent policies
The GDPR states that children cannot give lawful consent because they “may be less aware of the risks, consequences and safeguards” of sharing data. The default age at which someone is no longer considered a child is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16.
For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.
Data controllers must know the age of consent in particular countries and avoid seeking consent from anyone under that age.
8. Appoint a data protection officer
The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection strategies and compliance programme.
Although only certain organisations need to appoint a DPO, the Article 29 Working Party recommends that all organisations appoint one as a matter of good practice.
9. Plan for data breaches
One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible.
10. Adopt a privacy-by-design approach
Organisations should adopt a privacy-by-design approach to data protection. To do this, they will need to conduct a data protection impact assessment (DPIA) before undertaking new projects or initiatives.
DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.
DPIAs help organisations see how changes to the business will affect people’s privacy, and their results can be used to anticipate and mitigate problems well in advance.
#1 Best Seller
The Ultimate GDPR Practitioner Guide provides those tasked with implementing Data Protection processes, useful information on how to achieve compliance with GDPR. The book is crammed with advice, guidance and templates and also includes a copy of the full regulation text and the supporting recitals. Topics include:
- The Data Protection Officer
- Data Protection Policy
- Data Protection / Privacy Notices
- Data Protection Impact Assessments (DPIA)
- Data Protection / Privacy by Design
- Outsourcing
- Subject Access Requests
- And Much Much More!
Recent Comments