Digitisation is rapidly changing the world. On the one hand, it’s making life easier. On the other hand, all this data carries its own risks, and in particular in the area of privacy. That makes it an important issue for the European Union, which is the reason behind the General Data Protection Regulation (GDPR), legislation which affects countless medium-sized companies.
GDPR – what is it and when does the legislation come into effect?
The General Data Protection Regulation (GDPR) has been compiled to strengthen and standardise the data protection of individuals within the European Union. Many companies will be impacted by the GDPR and that’s why it’s important to be prepared. The legislation is a new legal instrument that was adopted on 27 April 2016 and will be drafted into legislation on 25 May 2018 following a two-year transition period. The GDPR – in contrast to a guideline – does not require further supporting legislation from governments.
What is in the GDPR?
The GDPR includes a number of basic principles for data protection which are important for companies:
Legality, integrity and transparency – Companies must process personal data in a legitimate and transparent way, and with integrity in relation to the individuals whose data is concerned.
Integrity and confidentiality – Companies must process personal data in a manner which ensures the adequate security of the personal data. This includes security against unauthorised or illegal processing and unintentional loss, destruction or damage. Companies must do this by making use of appropriate technical and organisational measures.
Data minimisation– Personal data must be adequate, relevant and only available to the people it is intended for in relation to the aims for which the data is being processed.
Defining the objective – Companies can only collect personal data for specified, explicit and legal objectives, and not process it further in a way which does not match the intended objectives. Further processing of personal data for archiving purposes for public interest, scientific and historical research, or statistical objectives are not seen as ‘not in line’ with the original objective. However in this case, organisations must meet the conditions stated in Article 83(1). This article describes the guarantees and anomalies in relation to the processing of data for the above-mentioned purposes.
Defining storage – Companies must store personal data in a way that the identification of the relevant individuals whose data is concerned, does not last longer than is strictly necessary to achieve the objectives that the company is processing the personal data for. Personal data can be stored for longer periods when specifically processed for archival purposes for the sake of public interest, scientific and historical research, or statistical purposes. However, this must be in accordance with Article 83(1), and on the condition that the company takes appropriate technical and organisational measures.
Accuracy – Personal data must be accurate and updated if required. Companies must take every reasonable measure to ensure that personal data which is inaccurate, in relation to the objectives that they are being processed for, is deleted or rectified – immediately and without delay.
Accountability by the controller
The business controller plays an important role in the GDPR. They are responsible for company compliance with the GDPR principles stated above. Moreover, the controller must be able to prove this.
As a company, what do you have to do to prepare for the GDPR? All companies which process, archive, and pass on personal data must be well acquainted with GDPR legislation. This might be relevant, for example, to the personal data of (potential) customers, employees or suppliers. Make sure you draft a data protection policy, and if you already have one, that you review this policy to ensure that it meets the new legislation.
As a result of the new legislation, you also need new rules of conduct within your company, and training to ensure that people behave in accordance with the new principles. Finally, ensure that your controller has the correct means of proving company compliance with the GDPR. It will take until May 2018 for the legislation to come into effect, but don’t delay preparations and ensure that your company is ready for the new regulations on time.