EU GDPR effective – now what?!

The last few months, we all have heard  the abbreviation of the EU General Data Protection Regulation, and although, at first many may had difficulty in putting the four letters into the correct order…now everyone talks about the GDPR. The deadline for its implementation, the May 25^th, has reached to an end, meaning that from now onwards, all organizations in the EU, as well as those that deal with data related to EU residents, should comply with new data privacy laws.  Albeit the increased awareness over this issue by the business world, have we really understood what about this regulation is? And most importantly, are we actually prepared for compliance?

According to a recent UK government report, less than half of businesses are aware of the upcoming GDPR legislation, or what they mean for how information security is handled. However, now that the regulation is effective, non-compliance could pose a major financial risk for the organizations. First and foremost, the key phrase is: do not panic!  The tips below can help to check successful compliance and become confident that your organization handles personal data based on explicit permission provided by each individual.

Many organizations have sent informative emails requesting from each individual to ‘opt in’ in order to receive news and updates from them. Others informed about changes in their privacy policies to ensure that they are implementing all appropriate technical and organizational measures, in order to satisfy all applicable to the company  requirements.

The following, if already done where applicable, can ensure that organizations remain GDPR- compliant:

• Updated terms of service and privacy policy to reflect the new requirements
• Joined codes of conduct for the protection of data. Adhering to approved GDPR codes of conduct offers many benefits and in several circumstances it might even become a necessity.
• Created a support team ready to answer privacy questions, complaints or requests and also provide details for DPIAs (Data Protection Impact Assessment)
• Added confidentiality terms in contracts
• Created a new Data Breach Policy to notify authorities and affected users within 72 hours
• Offer opt-out mechanisms in internet promotion emails and newsletters
• Invested in data security mechanisms (e.g. retained a Privacy Shield certification which helps keep users protected)

Additionally, given that the new data regulations are amongst the strictest in the world, it is of outmost importance to keep informing your stakeholders about any change in your policies in relation to the processing of personal data, continue investing in data security mechanisms and keep up-to date.

GDPR Principles related to personal data

According to GDPR, the principals for processing personal data can be summarized as follows:

1. Lawfulness: Personal data should be processed only when there is a legal basis for doing so, such as consent, by contract, or where there is a legal obligation, or where it is necessary in order to protect the vital interests of the data subject, or where it is for the legitimate interests of the controller.
2. Fairness: Those involved in processing personal data should provide the data subject with sufficient information about the processing and the data subject’s rights.
3. Transparency: Information should be provided in a concise and readily understandable manner
4. Purpose limitation: Personal data should only be collected and processed for specified, explicit and legitimate purposes and it should not be processed for reasons unconnected with these purposes
5. Data minimization: Personal data should be adequate, relevant and limited to what is necessary for the purposes for which it has been collected and processed.
6. Accuracy: Personal data should be accurate and up-to-date
7. Storage limitation: Personal data should be kept in a form permitting identification of data subjects for no longer than is necessary
8. Security: Using appropriate measures, personal data should be secured to protect against unauthorised or unlawful processing, accidental loss, destruction or damage.

Data protection concerns all

It is worth mentioning that requirements for personal data protection already exist under national laws. However, the level of administrative fines under the new regime is substantially higher than under the old legislation. penalties for infringements of the GDPR, in relation to certain provisions, can be up to €20 million or in the case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.

As Allianz notes, the ‘’GDPR is more an evolution to existing EU data protection laws than a revolution’’. It actually improves the principles of processing personal data, the accountability and obligations of legal entities, the data subject’s access requests and regulatory oversight power. Also, the GDRR pays no particular attention to the size of the organization given that SMEs are subject to the law and even smaller companies.