GDPR is thundering down the tracks. It’s a recognition, finally, that data generation is growing exponentially and that much of this data is in fact private information about private individuals. GDPR is coming and it will be profound as it has implications for all businesses, large and small:
Control where your data is and how it’s stored, shared and accessed
Regulators and lawmakers in the EU are stepping in forcefully and mandating that companies holding or helping to generate that information have to treat it with respect. It also gives people significant rights over the information being held on them. They can demand to see what’s being held – in a way that’s clear and understandable – and they can demand the right to be forgotten and have that data deleted.
While GDPR becomes law on May 25th and like all laws will be open to interpretation that will be sorted out in the courts, it is well thought out and takes into account the relative burden on organisations large and small. Large organisations and public institutions obviously have more responsibilities and the compulsion to appoint Data Protection Officers is a recognition of this.
Recommended Reading: GDPR is Coming May 25th 2018
Role of Data Protection Officer
When the GDPR becomes effective May 25, 2018, the data protection officer becomes a mandatory role under Article 37 for all companies that collect or process EU citizens’ personal data. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities that oversee activities related to data.
The DPO’s responsibilities include, but are not limited to, the following:
- Educating the company and employees on important compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as the point of contact between the company and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
- Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information.
Under Article 30, the GDPR acknowledges SMEs are different to large corporations and public organisations. Those SMEs with less than 250 employees, that don’t collect a lot of personal data:
- Do not have to hire a full-time data protection officer
- Do not have to keep formal records about how the company processes data
- Do not have to report minor data breaches as long as there is no risk to the rights of the people involved.
While SMEs have these exemptions, they must still comply – AND BE SEEN TO COMPLY – with the new law. This applies to all companies doing business in the Eu, where the same law will apply from May 25th. This includes the UK, which has stated that, irrespective of Brexit, it is adopting the legislation as well.
While SMEs have exemptions under GDPR, they must still comply and be seen to comply with the new law. Click To Tweet
So all SMEs need to start gaining an understanding of the data they hold on individuals and if it’s personal data as defined by the law. This is any information relating to an identified or identifiable ‘natural person’ (a “Data Subject”). It can include information such as a name, a photo, an email address (personal and work), bank details, posts on social networking websites, medical information or even an IP address. The definition of ‘personal data’ is the same in all Eu states. The provisions of the GDPR are generally consistent across all member states.
Recommended Reading: Why Your Business Needs to Respect Data
Personal Data Definition
As a general rule, any information that can be used to identify an individual – either on its own or when combined with another piece of information – is classified as personal data. This can include biometric, genetic and location data.
Once a company identifies its data in this way, it has three major responsibilities:
The GDPR is big on accountability. The SME will have to be able to prove its compliance to the data protection regulations. It will have to be seen to be complying and making every appropriate attempt to comply.
#2. Notification of data breaches
There are exemptions for minor breaches, but all other breaches must be reported to the regulators within 72 hours. In addition all customers affected by the breach have to be informed.
#3. Consent and privacy notices
The GDPR means businesses must get consent to use the data they collect from consumers. The GDPR has a principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. As mentioned consumers are allowed to withdraw consent and to ask to see what information is stored about them.
The GDPR means businesses must get consent to use the data they collect from consumers. Click To Tweet
The GDPR aims to strengthen individual’s rights to privacy in an ubiquitous environment. That is to be commended and respected. And if not, there are severe penalties for non compliance and there are no exemptions from these. Companies could be fined up to €20,000,000 or 4 percent of annual turnover.
The EU with its GDPR law is getting serious about protecting consumer’s rights to privacy and is putting every business on notice.
Rinodrive has been built to meet the requirements of GDPR. At Rinodrive security and privacy are a highest priority. We understand that the confidentiality of data and protocols are critical. All of your data is stored in highly secure data centres managed by dozens of compliance programs and audit safeguards. Try Rinodrive and discover for yourself that there’s an affordable and easily implemented solution.
Ready to give Rinodrive a go? Signing up for a free trial is just
How are you feeling about the fact that GDPR is coming? What’s your experience so far? Share your thoughts below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).