Are you ready for GDPR?
In 27th April 2016, the general; data protection regulation was adopted, which takes effects of the entire world. This includes the United States on the 15th may 2018. GDPR involves a comprehensive data protection regulation whose primary goals are to offer EU citizens and the residents with better privacy rights. In 1995 Data Protection Directive, the new rules replaced the less harmonized. The GDPR mandates fall in line from one organization with the EU clients, partners or vendors.
Who and where GDPR affects
The GDPR impacts firms of all the sizes when the storage and procession of the EU personal data is concerned. When you have the EU member data stored as well as the processed by the website, you should start the GDPR. Examples of this are things such as newsletter opt-in forms, cloud and the marketing communication tools. Some public entities, for instance, law enforcement are exempted from the data protection necessity. Companies can spend up to twenty million Euros or four percent of their global turnover per year on the non-compliance. Understand the GDPR requirements are necessary as well as their consequences for the firm. Therefore, you will be able to implement them within the consent of your firm. This implementation needs a dedicated effort, examples of that of operating a project GDPR requirement include:
Lawful, fair and transparent processing
Those firms which process personal data are necessary to handle the personal data in a manner that is lawful, fair and transparent. Legal means that all the processes are needed to be based on legitimate use. Fair means that the company should take the responsibilities and not the process data for any usage instead of the valid data. Also, transparent means that the companies are required to inform the data subjects about the activities of processing on the personal data.
Limitation of purpose, data and also storage
The companies are requiring limiting the processing, collecting only the needed data and not keeping the personal data after the processing purpose is done. This causes the following requirements; the forbid processing of the personal data that is not within the legitimate purpose that the personal data was collected mandate that there are no personal data, only what is needed to be requested. Inquire that the personal data is required to be deleted at the moment the legitimate purpose that it was collected for is fulfilled.
Data subject right
The data subject is given the right to inquire the firm of what information it contains about them. Also, they ask about what the company does with that information. The data subject as well as the mandate to request for the corrections, lodging a complaint, objecting to processing, and inquiring for the deletion of the personal data.
Consent
Bright and precise permission should be asked from the data subject when the company intends to process personal data further than the legitimate purpose that the data was collected for. When it has been obtained, the consent is required to be documented. The data subject should as well be allowed to withdraw the conduct at any time. The GDPR needs explicit permission when it comes to processing of the data for children under 16 years.
Personal data branches
The organization is required to maintain a personal data breach register. The regulator, based on the severity, the data subject is supposed to be informed about seventy-two hours of discovering the breach.
Privacy by design
The companies are supposed to incorporate organization and the technical mechanism that to keep the personal data safe in the design of the current system and processes. This involves ensuring by default of the privacy and protection aspects.
Data protection impact assessment
Data Protection Impact Assessment is needed to be conducted when starting a new project, product, and changes. This helps to estimate the impact changes as well as the further actions. The data protection impact assessment involves a procedure that is required to be carried out once the significant changes have been introduced during the processing of the personal data. This change can either be a new processor even a have to the existing process which varies with the way the personal data is processed.
Data transfer
The controller of the personal data is responsible for ensuring that the personal; information is safe and the GDPR requirements are respected even when the processing is fulfilled to the third party. This means that the controllers have the right for obligating thus ensuring that the privacy and protection of the personal data during the transferring of the personal data outside the company. This can be to the third party and other entity that are within that company.
Data protection officer
The organization is required to assign Data Protection Officer during the significant processing of the personal data in the organization. Through assigning, the Data Protection Officer gets the responsibility of offering advice to the company about the compliance with the EU GDPR requirement.
Awareness and training
Companies are needed to create awareness to their employees about the main GDPR requirements. They should also conduct carry out training frequently to make sure that their staffs are remained being aware of their tasks concerning the safety of the personal data and the identification of the personal data breaches immediately.
You are required to kick-start GDPR compliance through creating a GDPR readiness plan which includes checks and balances of the implementation and awareness. Here are the few considerations;
Raising awareness and contacting your attorney. This should be your first step so that to ensure compliance. Informing your company is vital as it gets them up to speed on the GDPR requirements. When you bring in the legal teams, it reduces your risks of the non-compliance.
Performing of data audit which explores on your information mapping system. Your company should be responsible for many things such as; where the data is coming from, how it is used,where the consent was offered if the consent clarity and segmentation is apparent and many others.
Impacts on GDPR when you are not located with the EU
You should ensure that your site is GDPR compliance when someone inside the EU can access it. The GDPR effects on how the data is being managed in your place expect when your site has been completely blocked for all the EU citizens.
When you don't store any data on your site
The data will still be running through your features of the site even when the data is stored externally through the third party. Therefore, one can still comply with the GDPR.
When you share your traffics stats with a third party
It is evident for the PR agency to ask for the traffic stats for a sponsored blog post. GDPR will not affect the personal information such as the email addresses or the IP information.