Anyone who handles personal data has to comply with GDPR. That includes data controllers who determine how and why personal information will be processed and processors of data, they are companies who handle personal data for the data controller.
According to the law, each business has to plan its operations with privacy to be in mind. Infractions should be reported within 72-hours. The law allows sanctions of up to four percentage of their annual revenues.
What is GDPR?
A brand new law on data protection which came into force in the EU GDPR's goal is to give consumers more control over personal data businesses collect. Regulations also increase penalties for violators.
It is defined as "personal information" as anything that identify a human such as name, email number, address of IP, as well as phone numbers. This also covers information relating to a person's genetic and biometric attributes. Businesses must ask individuals for explicit consent before they can use personal information. Also, they have to provide the consent in simple language. It also permits individuals to revoke their consent at any moment. In the event of withdrawal, companies will be required to delete any personal data they have. This is sometimes called"the right to be forgotten. "right to be erased."
This applies to both businesses and organizations in the EU and also to businesses and organisations outside of the EU who offer products or services, as well as monitor the actions of customers or gather individuals who reside in those in the European Union. It puts the onus to be in compliance for the data controllers (the company that determines what and how to process personal information) and data processors (outside organizations that manage this data).
They must sign contracts with data controllers with clear responsibilities. They also define how they are going to follow GDPR's strict regulations on security, processing as well as breach notification. These entities must train their staff on the new guidelines.
Another major aspect of GDPR is the requirement for businesses to record how they process personal data. Data subjects can examine if the data they provide is used improperly, or if the company is being hacked. It also helps in preventing fraud and improves consumer confidence in processing of their personal data.
GDPR defines principles that include transparency, fairness and limitation of use. The GDPR establishes principles regarding "lawfulness", "fairness" as well as "proportionality" in which you must collect and store your personal data to serve a legitimate and appropriate purpose. Restrict the amount GDPR data protection officer of information you save and retain only for as long necessary.
How does GDPR impact my company?
The GDPR affects any organization which gathers or stores data about EU citizens, even individuals who live outside of the EU. Additionally, the GDPR affects companies that do business with EU citizens. The law is designed to improve transparency and improve the privacy of personal information. It requires companies to provide more information on how they collect the data, how they use it and what protections they provide for it. For non-compliance, fines can amount as high as 20 million euros, or 4 percent of global revenue, so the risks are very high.
Enterprises must have an integrative approach in assessing GDPR's impact and the implications of GDPR in all its aspects. To achieve this it is necessary to include all parties, not just those in IT. Establishing a Task Force on GDPR comprising representatives from Marketing Operations, Finance, and Sales is a great way to ensure that every department is kept informed of any developments that might affect their respective areas of business.
After a team has collected information about the organization's risk assessment, it's now time to decide what steps should be taken to mitigate those risks. It could be as simple as updating privacy policies regarding data or encryption. It could also mean setting up new processes for handling data, setting up training for employees on the GDPR regulations or establishing an organization structure that allows for more transparency and accountability.
Businesses must also communicate with customers clearly about the changes in regulations. This will make it simpler to comply with the requirements of the new regulations. The disclosure must be clear short, simple, easily accessible as well as easy to understand and comprehend. It should also use basic language and not use technical terms.
Making sure you are prepared for GDPR is imperative for all businesses that gather or uses data on EU citizens. With a proactive plan, businesses can stay within the law and avoid expensive penalty for non-compliance.
How can I be prepared for GDPR?
First step: Study the collection of data, its storage, and processing. The GDPR requires companies to reveal details on how their data was collected, used and stored in accordance with the GDPR. This could require a comprehensive study of existing procedures, systems and policies.
Additionally, new regulations must be put in place for data to be being used to fulfill the requirements stated and not used for any other purpose. You can avoid GDPR fines through a reduction in the amount of information you collect and keep.
If you're collecting personal data to use for marketing, then your consent form must include specific words, simple and clear (not obscured in legal terms) The form should also allow withdrawal. It's important to ensure that the form of consent stands distinct from all other requirements. The absence of consent or the pre-ticked boxes won't suffice anymore. Simple opt-out forms is required.
Similarly, your privacy notices have to be updated with the lawful reason for collecting the data and any additional information requested by GDPR like your retention period and possibility of submitting a complaint to the ICO. It's also important to review all contracts with any third party who process your personal information, in order to make sure that they're in compliance with the GDPR.
It's also important to consider how your organization will be able to implement the additional rights that individuals have such as the right to have access to their personal data and the right to rectify and update information as well as the right to limit processing, and the right to object to automated decision-making including profiling, as well as the rights to be erased. It is crucial to identify who will be in charge of these tasks, before putting the proper systems into position.
The ICO offers a valuable checklist that can help with the process, and it is accessible here. Get our GDPR Compliance 10 Step Checklist to get more detail on what you should be doing to prepare. It covers every aspect of GDPR preparation including how your business gathers personal information to sharing about it with its customers, and what methods it uses to process the data. In the event that you're within the EU or not it is a must to ensure that your organization is GDPR-compliant.
What should I do to make sure that I am in compliance with GDPR?
It's vital to keep track of and continually assess your compliance with GDPR. You must ensure that you have the appropriate systems in place which allow the subjects of data to exercise their expanded rights such as the right to access, the right of rectification, and the right of erasure (the "right to be lost"). Be sure your policies are well-documented and clear. Every employee should undergo training in both refresher and initial training.
Incorporate a clause in your privacy policy that describes the way you'll handle individuals who want the right to do so, and includes the process of consent. It is possible to avoid penalties if your organization doesn't adhere to the GDPR guidelines. It's also recommended to have a designated person to be responsible for ensuring compliance within your company. This may be an in-house or outsourced specialist who is experienced in compliance with GDPR and who can answer questions by anyone at your firm.
Make sure that the companies and solutions you employ to store data, analyze or process personal information are GDPR compliant as well. It's crucial to confirm that processing partners as well as you're both GDPR compliant.
Keep track of the personal data you have, the source it comes from, and who you share it with along with your risk mitigation measures. Then, you can show the authority that supervises you your respect for the GDPR when they inquire.
Make yourself ready for any issues that may arise, and be ready to be ready to respond quickly. This will help you to avoid potential fines and reputational damage. Many companies are considering obligatory compliance by adding the clause in employee contracts that stipulates the need for employees to comply with the rules of GDPR. Certain companies are adding incentives and punishments to help encourage conformity, including withholding bonus or other rewards for employees who do not adhere to the regulations. A survey conducted by Veritas Technology revealed that nearly fifty percent of respondents would likely include GDPR policies in employee contracts.