GDPR: Data protection is teamwork
How can we apply the general data protection regulation (GDPR) in a simple and efficient way? How do we avoid errors? Who should do what and starting from when? Matthias Niehoff, data protection expert, asks the major questions about this new regulation.
Everyone is talking about GDPR. What is the actual importance of this regulation?
The data protection regulation is very important. In fact, it concerns all companies and organizations who automatically process any individual’s personal data residing in the EU. Nowadays, which company does not meet this criterion?
The data protection regulation is very important. In fact, it concerns all companies and organizations who automatically process any individual’s personal data What do companies have to do under the GDPR?
First of all, they have to determine where the data pertaining to people is collected. Operational processes must be documented according to the law, and the legal basis in which the data collection is based on needs to be established, for example, in the context of consent or a contract. Next, it is necessary to prioritize the operational processes that pose the greatest risk to individuals, according to the law. The individual’s rights increase considerably and at the same time, the reporting obligations in the event of a loss of data, are unquestionably reinforced: Any problem related to data must now be reported within 72 hours. An external data protection officer or advisor cannot tackle this alone. It is important that the management of the company takes initiative and involves the appropriate staff members in the process. Data protection is teamwork.
What doe “personal data” mean exactly?
This is information that has a direct or indirect connection with an individual, for example: name, address, phone number, email, IP address. A link to an employee, ID or registration number is all that is required.
What should be considered when storing data and documents?
The manner in which the data is stored must be documented. The principle of minimizing data applies. We must ask ourselves: is there a legal basis for this? Are we dealing only with the essential data in an allowable time frame? For example, is the data protected enough so that only those who are authorized can access it? Sometimes, more data has to be processed in order to satisfy evidentiary obligation.
What happens if a company doesn’t follow the provisions of GDPR?
Starting on May 25, 2018, if GDPR is not being put into practice, and in the case of a serious situation, a company can be fined up to 20 million euros, or 4% of the business turnover from the previous year. Furthermore, a fine such as this may also extend to a personal liability of the company management, department heads and data protection officers.
Does the GDPR apply to older data? Wouldn’t that require a tremendous effort?
The purpose of GDPR is the processing of personal data in accordance with the law. The age of the data is irrelevant. The following points should be verified: Is there a valid, legal reason to store the data (for example, if a newsletter is sent using email)? Does the recipient authorization meet the GDPR requirements? One of our clients had thousands of data records, but only about 10% were valid and conclusive authorizations. This entrepreneur had to conduct a risk assessment and clarify the situation: Will he continue to process data without a legal basis? Will he ask for a new authorization from the individuals concerned? Will he erase the customer’s data? If data processing poses a high risk for a person’s rights or freedoms, then those risks must be minimized. The data protection officer advises the entrepreneur with this procedure.
How do these regulations apply to non-european companies who operate inside the EU?
By simplifying: Wherever their headquarters are located, companies have to keep an eye on the GDPR as soon as they offer services to individuals in the EU, whether by observing behavior or other similar elements.
You have already advised many companies. Do you think that companies are ready to face the GDPR?
Some companies, certainly not… but, for others who have already successfully dealt with data processing in the past, are ready for the GDPR. It makes things a lot easier for them today. GDPR has already been around for 2 years. Whoever hasn’t started it yet should get on the ball!