The EU General Data Protection Regulation (GDPR) will be enforced from May 25, 2018. The regulation will affect all businesses who collect and use people’s personal details for sales, marketing, customer support, and other purposes for keeping in contact with people.
While GDPR does not make for light reading nor riveting reading, at the very least it’s important to be aware of the basics. Below are 5 key points which we think are worth knowing about. At the same time, however, we highly recommend reading into GDPR whilst on the lavatory or whenever you can steal a spare moment to give this important piece of regulation the attention it deserves.
Accountability
Under GDPR, organizations will be held accountable for the methods they use to collect data as well as the reasons why they are holding data. Organisations will need to be able to explain how the acquired the data, why are they holding it, was it gather with consent, is the data secure and can external parties obtain it?
Privacy rights
Since data is originally about us – you, me and the entire world population – we have rights to our data such as: the right to be informed; the right to rectification; the right to erasure; the right to object, among others. Know your rights regarding your data!
Plan for data breaches
Should your organization suffer a data breach, you have 72 hours to report it to the authorities providing as much information as you can. In such an event, you need to know who to call and have a process in place to avoid complications.
Appoint a data officer
GDPR requires that organizations have a data officer who is knowledgeable about the regulations and requirements that concern the holding of data. While on certain organizations need to appoint a data officer, it’s highly recommended that every organization appoint someone who is up-to-date and keeps track of changes.
Adopt ‘Privacy-by-design’
Privacy-by-design means that should an organization take on a new project or undergo internal structural change, these projects and changes could impact all currently held data, possibly infringing people’s rights or transgressing the regulations. To avoid or mitigate the risk of this, organizations will need to conduct a data protection impact assessment.
Good sources of information:
https://www.itgovernance.eu/eu-gdpr-compliance
https://www.eugdpr.org/
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/