GDPR is around the corner – this is what you need to know
GDPR is the EU’s new privacy regulation that harmonises the managing of personal data in the member countries and gives new rights to the individuals.
GDPR applies globally to all companies and organisations that handle personal information of a European citizen. Here’s in a nutshell what you need to know about GDPR.
Personal data – what is it?
GDPR defines personal data as any information concerning an identified or identifiable natural person. Information can be such as name, phone number, email address, car license plate or dynamic IP address.
Personal data can also be pseudonymised data that can be reversed to identifiable with additional data. There is also sensitive data such as political affiliation, health records, or genetic & biometric data that must be handled with special care. It is important to notice that children are identified as vulnerable individuals that require specific protection.
Transparency and consent
Individuals have a right to know how and why their data is used. This means that companies need to have a valid reason for the data usage. A valid reason can be for example if your company has a contract with the individual, if there’s a legal obligation for your company to collect the information, or if the individual has given a consent for your company to use the data. Note to yourself, if consent is given, it can be withdrawn anytime without any explanation needed.
Accountability and reversed burden of proof
One of the biggest changes in GDPR comparing to the previous situation is accountability. Organisations must be able to prove that they are following the GDPR. This is so called reversed burden of proof and means that you have to be able to prove that you are innocent. It requires you to document processes where personal data in proceed. In some cases, it could require privacy impact assessment.
Rights of the individuals
GDPR strengthens some of the rights of individuals and also creates some new ones.
Access to data
Individuals must be able to see the data you collected about them. You have 30 days to provide that information from the request. First copy must be free of charge.
Rectification of inaccurate data
If there is an inaccurate data, individuals can ask that data to be corrected and you need to do it.
Right of erasure
The individuals can ask their data to be removed. When there is no more business relationship or no more contractual obligation between your company and the individual, the data must be removed if an individual asks to.
Object to processing
The individuals can stop specific kind of processing, for example, direct marketing.
Individual can ask you to provide their data in a portable format to them or other service providers.
The individuals can ask you to stop processing their data for a period of time.
Profiling and automated decision taking
Profiling based on sensitive data that requires explicit consent and the individuals can request manual intervention of automated decision-making that cause them significant effects.
Data transfers and breaches
Data transfers outside EEA (European Economic Area) are restricted but not forbidden. It’s good to keep in mind that these cross-border data transfers require adequate level of data protection. There are a number of adequate countries outside EEA whose regulation provides similar protection of personal data as GDPR. Personal data can be transferred to this country without having to take further protective measures.
In case of a data breach, if a processor identifies one, they need to inform the controller without undue delay after becoming aware of it. There is no exception to this. Controllers need to inform the authorities within 72 hours after becoming aware of the breach.
Changes in contracting
A controller must have written contract with every processor, even in the end of the subcontracting chain. The contract has mandatory clauses stipulated by GDPR, so you need a proficient lawyer. The actions done by processor must be defined in writing.