According to a recent UK government report, less than half of businesses are aware of the upcoming GDPR legislation, or what they mean for how information security is handled. However, now that the regulation is effective, non-compliance could pose a major financial risk for the organizations. First and foremost, the key phrase is: do not panic! The tips below can help to check successful compliance and become confident that your organization handles personal data based on explicit permission provided by each individual.
Many organizations have sent informative emails requesting from each individual to ‘opt in’ in order to receive news and updates from them. Others informed about changes in their privacy policies to ensure that they are implementing all appropriate technical and organizational measures, in order to satisfy all applicable to the company requirements.
The following, if already done where applicable, can ensure that organizations remain GDPR- compliant:
- Joined codes of conduct for the protection of data. Adhering to approved GDPR codes of conduct offers many benefits and in several circumstances it might even become a necessity.
- Created a support team ready to answer privacy questions, complaints or requests and also provide details for DPIAs (Data Protection Impact Assessment)
- Added confidentiality terms in contracts
- Created a new Data Breach Policy to notify authorities and affected users within 72 hours
- Offer opt-out mechanisms in internet promotion emails and newsletters
- Invested in data security mechanisms (e.g. retained a Privacy Shield certification which helps keep users protected)
Additionally, given that the new data regulations are amongst the strictest in the world, it is of outmost importance to keep informing your stakeholders about any change in your policies in relation to the processing of personal data, continue investing in data security mechanisms and keep up-to date.
GDPR Principles related to personal data
According to GDPR, the principals for processing personal data can be summarized as follows:
- Lawfulness: Personal data should be processed only when there is a legal basis for doing so, such as consent, by contract, or where there is a legal obligation, or where it is necessary in order to protect the vital interests of the data subject, or where it is for the legitimate interests of the controller.
- Fairness: Those involved in processing personal data should provide the data subject with sufficient information about the processing and the data subject’s rights.
- Transparency: Information should be provided in a concise and readily understandable manner
- Purpose limitation: Personal data should only be collected and processed for specified, explicit and legitimate purposes and it should not be processed for reasons unconnected with these purposes
- Data minimization: Personal data should be adequate, relevant and limited to what is necessary for the purposes for which it has been collected and processed.
- Accuracy: Personal data should be accurate and up-to-date
- Storage limitation: Personal data should be kept in a form permitting identification of data subjects for no longer than is necessary
- Security: Using appropriate measures, personal data should be secured to protect against unauthorised or unlawful processing, accidental loss, destruction or damage.
Data protection concerns all
It is worth mentioning that requirements for personal data protection already exist under national laws. However, the level of administrative fines under the new regime is substantially higher than under the old legislation. penalties for infringements of the GDPR, in relation to certain provisions, can be up to €20 million or in the case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.
As Allianz notes, the ‘’GDPR is more an evolution to existing EU data protection laws than a revolution’’. It actually improves the principles of processing personal data, the accountability and obligations of legal entities, the data subject’s access requests and regulatory oversight power. Also, the GDRR pays no particular attention to the size of the organization given that SMEs are subject to the law and even smaller companies.