10 things you need to know about GDPR

February 9, 2018

With just weeks to go until the new European Union General Data Protection Regulation (GDPR) comes into force, you still have time to make sure your organization is ready to comply. In case you’re still feeling unclear about exactly what is required of your business or organization, these 10 check points will help to make sure you’re not missing anything important.

1. You are not exempt

It doesn’t matter where you are in the world or where you conduct your business, if you hold or process the personal data of people within the EU then you will fall under the jurisdiction of the GDPR and you will be required to comply to all the regulations listed below.

2. Data processors must comply too

Whereas responsibility for data protection used to lie solely with the data controller (the organization that decides what data is gathered and how it will be used), it now falls upon data processors (those providing processing services to the data controllers, e.g. marketing companies) to make sure they are fully compliant with the new regulation too. Quite simply, any organization that touches the personal data of people within the EU must comply with their responsibilities under the GDPR.

3. Personal data has broad meaning

Personal data constitutes any data that can be used to identify an individual, so that includes the obvious name, address, age, phone number etc., but also sensitive information such as medical records, religious persuasion and financial details, as well as social media posts, shared images and other user-generated data that points to their identity.

Existing data must also be compliant. The GDPR doesn’t only apply to new information gathered after 25th May, it applies to all the data a company or organization controls or processes. So all the data you currently hold will have to be made compliant to the GDPR rules by 25th May or else you won’t be allowed to use it.

4. Consent must be affirmative

When gathering personal data, you must spell out in very clear language what information you are collecting, what you are going to use it for and how you are going to store it. This must be unambiguous. If you are relying on consent as a legal basis for your processing the consent must be an affirmative action, or an opt in. Pre-ticked box or opt outs will not be considered valid consent anymore.

You are also obliged to secure fresh consent if you change the way you intend to use an individual’s data. You must keep the necessary documentation as proof that you have obtained clear, affirmative consent for any data you use. In the case of children under the age of 13, affirmative consent from their parents is required before you can collect, store or process their personal data.

5. You most likely need a Data Protection Officer (DPO)

The GDPR states that companies and organizations controlling or processing the data of EU citizens must have a designated DPO if they are:

A public authority
Engaged in large-scale systematic monitoring of user data
Processing large volumes of personal user data

Thus, the size of your organization does not matter, but the amount of processing. This means that a lot of smaller businesses (SMEs) need to appoint a DPO.

Your DPO can be a member of staff or a contractor but they need to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices.” We will go into more depth about their tasks and responsibilities in a separate article but, in short, they will be the central point of control for your GDPR compliance, reporting to the board, communicating with all staff and liaising with the national data protection authority. The better your compliance systems and processes, the easier and more efficient their job will be.

6. You need to create a record of processing activities

A critical part of the GDPR journey is to gather information about all storage and processing of personal information. You have to be able to make the record available to supervisory authorities such as the UK ICO on their request. Article 30 of the GDPR contains information on what is needed for such a record. We recommend doing data mapping, using a solution such as CCQ that has predefined questionnaires to help you discover personal data. The CCQ Asset Management module helps you catalogue the company’s IT systems and gather relevant information to make available to supervisory authorities when they come knocking on your door.

7. Data breaches must be reported

In the event of a data breach, the controller will be obliged to notify the national data protection authority within 72 hours of discovering the breach. The upshot of this is that you will need to have the technology, training, communications and processes in place to be constantly monitoring and to enable prompt detection and response.

8. You must respect the individual’s rights

The GDPR has strengthened the rights of individuals who want access to their data or to have their data deleted. Companies and organizations are obliged to ensure that any data is completely erased on request. That means not only erasing the data you hold but ensuring that any other connected organizations storing or processing the data also delete it, so you will need to make sure you have the processes in place to enable you to completely erase data on request.

Similarly, if a subject requests access to any data you hold on them, you are obliged to comply within one month and you may no longer charge for the service.

9. Non-compliance could bring you down

If you’re in any doubt about how seriously the EU is taking data protection, take a look at the penalties. Failure to report a breach within the 72 hour period, for example, could bring you a €10million fine or 2% of your annual global group turnover, whichever is the greater. In the case of severe breaches, where a company or organization has repeatedly or wantonly failed in its responsibilities, the maximum penalty is €20million or 4% of turnover. Even if you avoid a fine, the GDPR also gives authorities the power to stop you from all data processing activities, which could effectively bring your business to a grinding halt.

10. There’s no need to panic – get organized

The deadline is moving closer but take note that GDPR compliance is an ongoing task and few organizations will be 100% compliant come May 25th. CCQ from Origo helps you discover and catalogue personal data. Through the process of pre-audits your GDPR team or consultant can find the tasks that need highest priority and focus on those first.  
Posted by the CCQ Team.

[Disclaimer] This material is intended for general information purposes only and does not constitute legal advice. The views, thoughts and opinions expressed in this article are solely those of the original authors, and do not necessarily reflect the official policy or position of Origo, or any other entity.