What is GDPR
GDPR stands for the General Data Protection Regulation. Quite simply, it’s a new, updated data protection law enabling consumers to take back control of who uses their personal information and when. For those with businesses you’ll need to make sure your data is managed correctly and comply else you face heavy penalties.
25th May 2018 for anyone handling personal data of EU citizens, anywhere in the world.
GDPR allows for EU Data Subjects (EU citizens whose data is being processed) to be granted certain rights and protections relative to their personal information.
What Is Personal Information
Personal information can include many data types, including but not limited to:
- Credit card information
- Photos and videos
- Usernames and passwords
- First and last name
- Bank account information
- Medical records
- Passport information
- Personal email addresses
Some of the key changes outlined by GDPR include:
- Increased territorial scope
- Enhanced data inventory requirements
- Increased penalties
- Appointment of a Data Protection Officer (DPO)
- Broader obligations for Data Controllers (organisations that collect and manage EU citizen data)
- Direct obligations for Data Processors (any company that processes personal data on behalf of a Data Controller)
- More timely data breach reporting
- Right to data portability
- Right to erasure (‘right to be forgotten’)
- Stronger Data Subject consent
In the case of a breach, fines could be as high as €20 million or 4 per cent of annual global turnover, whichever is the highest of the two.
How to start
We know that it’s easy to get caught up in the details and not know where to start, so here are ten things you should do now to get your GDPR preparation underway (Source: http://bit.ly/2FfexFw)
1. Everyone in your Company should know about GDPR
Education should start at the top and then go down in order give everybody the appropriate knowledge. Remember that business unit stakeholders don’t need to understand all of the subtle nuances of GDPR, but they do need to have a general grasp of the terminology, required controls and desired outcomes.
2. Choose your “in house” GDPR specialist
In accordance with GDPR requirements, a Data Protection Officer (DPO) may need to be formally appointed for your organisation. Irrespective of whether or not this is the case, the appointments shouldn’t stop there. Your organisation should have an internal GDPR specialist within each line of business.
3. What personal data elements you control?
Whether you’re in marketing, HR, customer services, procurement or one of the many other divisions within your organisation where GDPR will be a focal point, you should immediately start identifying all the personal data relating to EU citizens that is under your control.
4. Make a list of your personal data processing activities
GDPR‐compliant personal data processing procedures can be implemented centrally or departmentally. There are no hard and fast rules but you can’t create procedures until you understand how you or your department processes the personal data that’s under your control.
5. Educate & engage your legal and information teams
This almost goes without saying. Since GDPR is a regulatory mandate, your legal, compliance and information security teams should be deeply involved from the outset.
6. Check your current consent request and notifications
Make sure you identify how your part of the business is currently obtaining consent and providing notifications of processing.
7. Who are your everyday personal data handlers?
Start engaging and educating those employees within your area of the business that handle or process personal data as part of their everyday responsibilities.
8. Make a security plan in case of privacy breach
In order to provide breach notification as per GDPR, you need to actually know that a breach occurred. That sounds straightforward and maybe even common sense, but knowing that a breach has occurred can be challenging.
9. Recheck all your data request handling
If your employees and customers are not already asking for the data you store and process about them today, it’s very likely they will be once GDPR is fully in effect. You should have well‐defined, consistent processes and procedures for handling requests related to the Data Subject rights covered by GDPR.
10. Find out all your third party data processing companies
Lastly, start documenting any third‐party data processing services leveraged by your company. Do you use third parties to consolidate your marketing data and manage mailing lists, for instance? Make sure that you’re considering all potential third‐party data processing scenarios.
GDPR and Enkronos Platforms
All our teams already started with all the needed work, to ensure all our platforms to be 100% in line with GDPR! We realise this is just the beginning of a long and sometimes unpredictable process, and we are sure that some needed changes will become clear only after the 25th May 2018.
If you think GDPR doesn´t concern you …
If someone ask you to delete their personal data, do you know where it is? 🙂
Are you sure you will be in line with GDPR across all your data sources? PCs, laptops, mobile devices? Email? Clouds? File servers and CMS with hundreds or thousands of authorised users? Dev/test copies? Business intelligence and analytics applications?
Enkronos Marketing Team