Is your business website ready for GDPR?
This May 25th the new EU legislation on data protection called “General Data Protection Regulation” will come into effect all over the world, not just within the EU! It will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
The European Parliament and Council have been debating this 88 pages-long document for over 6 years and it can be accessed here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1490179745294&from=en
In short: what is it about?
It primarily aims to protect natural persons’ (subjects) private data and their fundamental rights with regards to how their information is used by entities (controllers) like companies, schools, hospitals etc.
Jan Phillip Albrecht, the French/German MEP driving this new legislation says “while food standards and the sale of dangerous goods have both been closely regulated for some time, lawmakers have been slower to safeguard personal data”. At a panel meeting organised by Wire in February 2018, where he and other European legal experts came together, two distinct ways in which the GDPR works were described:
- first, increasing data protection by directly ensuring compliance through the issuing of financial penalties (organisations can be fined up to 4% of annual global turnover or €20 Million, whichever is greater),
- and second, to hopefully be responsible for sparking a new wave of innovation within businesses by encouraging organisations to streamline data management.
The speakers at the panel see benefits for businesses emerging as they gain increased insight and control over data and the concept of “privacy by design” is part of a legal requirement with the GDPR, stating “The controller shall (…) implement appropriate technical and organisational measures in an effective way (…)”. This could lead to developing new designs and ways of handling data.
But what kinds of data are covered here? Any sensitive data from the natural person’s ethnic or religious background to political views, memberships, financial records etc. Even genetic or biometric data or online identifiers like IP addresses, mobile devices IDs are considered as personal data.
So how can you as an organisation comply with GDPR?
- Collect, use, store and protect personal data (your process needs to show what happens with the data and how the subject can control what happens with it)
- Allow the subject to give their consent to everything that happens with their data (the request for consent must be given in an intelligible and easily accessible form, it must be clear and distinguishable from other matters, using clear and plain language. It must be as easy to withdraw consent as it is to give it)
- Enable the subject to ask to have access to their data (the controller shall provide a copy of the personal data, free of charge, in an electronic format)
- Delete or change/update the subject’s data (Data Erasure is the right to be forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data)
- Inform the subject if their data has been leaked or misused (breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach)
- Only use the subject’s data that is relevant to the services you offer (Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing)
- Or whether you use a data protection officer (DPO). DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. (quotes taken from https://www.eugdpr.org/key-changes.html)
The video here explains all these points very well from a subject’s point of view.
Do you feel ready now? We hope you do and the information provided here is making a difference!