It is all over the media: on May 25th, 2018 the General Data Protection Regulation (GDPR) becomes enforceable. GDPR has the objective to protect the data privacy of EU residents and to sharpen the way organizations treat data privacy. But what is GDPR really and what do you have to do as an organization to adhere to the rules?
What is the core of GDPR?
GDPR protects the personal privacy of civilians by prescribing how organizations have to deal with personal data. The regulation replaces existing local rules and laws and unifies the regulations in the EU. Many of the GDPR rules are therefore about data rights of the affected individuals. For instance, GDPR prescribes that:
- Affected individuals need to be informed about what happens with their personal data.
- All has to be communicated in a simple and clear manner
- The affected individual has, next to the right to resist, inspect and correct data, also the right to be forgotten
- The affected individual has the right to export his data (also referred to as data portability)
- The affected individual has the right to limit processing of his data and the right to object to certain processing
- The affected individual always has the right to object to processing of his data for direct marketing purposes. If the individual files such an objection, it is not allowed to use his data for marketing purposes.
Consequences of this are for instance:
- Organizations must store all personal data in an encrypted format.
- Organizations must keep a register that describes what processing is done on personal data. This includes what data is being used for what purpose, who is involved in the processing and in what systems the data is being stored.
- Organizations must (internally) document all data breaches and, under certain circumstances, inform the authorities and the individuals affected within 72 hours.
- Organizations must be able to deal with requests of individuals who would like to review or correct their personal data.
Do GDPR also apply to SMEs?
GDPR applies in principle to all companies and organizations, in B2C as well as in B2B. There is an exemption for companies with less then 250 employees in that they are not required to keep a register of data processing activities, unless:
- It is likely that the processing the company performs contains a risk for the rights and liberties of the affected individuals,
- The processing is not incidental,
- It is about processing of data from the special categories (see the grey box in the figure further in this post), or personal data relating to criminal convictions and offences.
5 things you can start doing today
- Know what information you have. Identify what personal data you have and in what systems it is stored. This includes data about employees or the mailinglist of your newsletter.
- Know why you have the information. Document for all identified data collections for what purpose the data is collected, the source of the data and with whom you share the data.
- Be prepared. Apply measures to prevent leaks of personal data, to detect security breaches and, in case it happens anyway, to react to it in an effective manner.
- Create a processor agreement. Adhering to the rules of GDPR also implies that your partners in the supply chain process personal data in a proper way. Therefore, do create a processor agreement with these partners, describing how to deal with personal data.
- Know if you need to appoint a data protection officer. Use the flow chart below to quickly determine whether your organization needs to appoint a data protection officer according to GDPR.
Do you need a data protection officer?
The complete text of the regulation can be found on the EU website. Are instead looking for practical advice on what GDPR implies for your organization and your processes? Please do not hesitate to contact us.