GDPR – How to prepare your business

Dc4e3fa3 3cce 4418 b45d d59868979bd2
12/12/2017

General Data Protection Regulation is a personal data protection regulation adopted in April 2016 by the highest Europian regulatory bodies. By the May 2018, all businesses and organizations should be complying with GDPR requirements.

Brief introduction to General Data Protection Regulation

The main intent of GDPR is to strengthen and unify data protection across the European Union. The purpose of GDPR is to simplify the regulatory environment for businesses. This is especially true for the businesses that operate internationally.

On the other hand, GDPR also aims to introduce “digital rights” to the general public. Personal data is not only a matter of privacy in today’s digital world. Personal data also has an economic value in the digital economy. With GDPR, the legislator aims to give the control back to the citizens.

Do note that General Data Protection Regulation doesn’t require any enabling legislation from the national governments. GDPR is directly binding and applicable.

If your organization is compliant with the current Data Protection Act (DPA), that is a great starting point for the GDPR compliance. But, be aware that GDPR also brings some new elements and important data protection enhancements. Make sure your organization prepares for the new law.

How to prepare for GDPR

It is a good idea to plan and prepare early. If your business is very large and complex, it will take more work to prepare. Your organization may need to develop new procedures, for example, to deal with GDPR’s individuals’ rights and new transparency provisions. The GDPR might have budgetary, personnel, governance, communication and IT implications for complex businesses.

For instance, GDPR is more strict than DPA with the documentation that data controllers have to keep. A significant aspect of this might be reviewing the contacts and other arrangements the business has in place when sharing data with other organisations.

Some businesses and organisations will be under the greater impact of GDPR than the others. This may especially be true for the provisions related to children’s data or profiling.

Make sure you understand which parts of the GDPR have the strongest impact on your business model.

First step in preparation for GDPR

The new legislation roughly defines two types of data acquisition for organizations. You have to find out if your organization collects personal data as a “data controller” or “data processor”.

It is also possible for an organization to process data both as a data controller and data processor. If this is the case for your organization, it will have to comply with the rules both as a data controller and data processor.

GDPR – the difference between data controller and data processor

The key difference between the data controller and data processor is their role in data analyzing the process. And it is very important for an organization to understand where they fit.

The data controller means that organization determines the purpose for which data is processed for. It also means that the organization has to exercise control over the processing of the data.

Therefore, data controller has to carry the data protection responsibility.

In terms of General Data Protection Regulation, the data processor is an organization that processes data on behalf of the data controller. The data processor has a freedom to decide how to carry outthe activities on data controllers behalf but doesn’t have a freedom to decide on the activities themselves.

For example, data controller decides in the first place to collect the personal data, and determines the legal basis for data collection. The data processor decides what are the best methods, or IT systems that will be used for data collection.

Another good example would be that the data controller decides on the content of the data. Data processor decides how to store the data.

Also, data controller will make a decision on how long to retain the data. Data controller finds the best means to delete the data.

What information does the GDPR apply to?

The General Data Protection Regulation applies to any information that can be related to a certain person. And it applies even if the person can be indirectly identified.

Keep in mind that a person can be identified not only by a name or identification number. In the digital age, the location and online identifiers (such as IP addresses) are considered equally important.

And even if you, for instance, track data by pseudonyms, GDPR may still apply. The main criteria would be how hard it would be to identify the person behind the code-name.

The GDPR also recognizes sensitive personal data. These are special categories of personal data. This may be, for example, biometric data or genetic information if such data is processed in a way that is links the data to a specific individual.

The main GDPR principles for businesses

Under the General Data Protection Regulation, there are few key areas that an organization has to focus on.

The personal data has to be processed in a lawful manner. The data also has to be used in a manner that is fair and transparent towards individuals.

The personal data has to be collected for legitimate, explicit and specified purposes. Also, the further processing must be fit for these purposes. Luckily, scientific, historical, statistical and purposes of public interests will not be affected with GDPR.

Your organization has to have a good legal purpose for data collection. And it has to stick to it. Data protection limits you to collecting only data that is relevant to the main purpose of data collection.

Your organization also owes to the public to keep the data up to date and accurate, whenever it is possible. Inaccurate data must be erased without delay.

Your organization may keep the personal data in a form that can link the data to a certain person only for as long as it is necessary for the main purpose.

And, of course, the data has to be secure. Personal data has to be protected against unauthorised or unlawful processing. The data also has to be secure of a loss, destruction or damage.

GDPR in the UK

For the businesses in the UK, GDPR remains an important issue, regardless of Brexit. First, if you are collecting data from EU citizens, you are obliged to respect GDPR. And secondly, UK government issued new data protection legislation in September 2017. The bill has yet to pass through the House of Commons and the House of Lords to become a law. But, it is very similar to the GDPR.

The subject of GDPR is somewhat complex, but it will most likely become easier to grasp in future.

You can read the full General Data Protection Regulation here.

Alternatively, you can subscribe to the gigCMO newsletter and learn more about practical implications of GDPR for your business.

GDPR – now what?

While on the one hand, as a citizen, it sounds quite fair to have your personal data protected, the transition from DPA to GDPR for organizations may be a bit tricky. However, more guidelines are found daily, and it is a matter of learning on the go.

With a bit of a help, any organisation can make the GDPR transition safely.