Whether you've already made a start on your own GDPR compliance roadmap, or you're still considering how to proceed, GDPR is a complex framework for data protection laws and so it's important to check that you have all of your bases covered. Below, we'll go back to the basics of what GDPR is and why it matters for your business.
What is GDPR and what is its purpose?
The GDPR is a new framework for data protection laws with an aim of a set of standardised data protection laws across Europe and making it easier for EU citizens to understand how their data is being used. Given the rapid advances in technology and changes to how data is stored over the past two decades, this new regulation addresses these developments. As a result, GDPR not only harmonises data rules across Europe and changes the way organisations approach data privacy, but creates some new rights for individuals.
The GDPR applies to 'personal data', but what exactly does this cover?
Personal data refers to any information that directly or indirectly identifies a living individual in their private, professional or public life. Given the vast nature of personal data, identifiers include name, identification number, location data, e-mail, online identifier, mobile device ID, IP, address, cookies or to one or more factors specific to the physical, economic or social identity of that person.
Is it just our customers' data we need to be worried about?
As a business, it can be tempting to think about data just in terms of your customers. But if you think about your business as a whole, you are most probably keeping information on such groups as your suppliers and business partners, for example, and their personal data. And in terms of employees, what information might your HR team be holding on your existing employees and those who might be applying to work for you (CVs, ID card, passport copies, etc)?
Where might I, or my colleagues, have this personal data kept?
It's key to note that data does not just relate to information collected through your automated electronic systems or CRM. You may currently have similar records stored in various physical locations, be it spreadsheets, filing cabinets, notebooks, emails, text messages or your desk drawer. And the situation is probably different for each of your departments. With this in mind, you'll need to think about duplicate data, incomplete data, wrong data or old data that you might be storing. You need to address these points to show you have your data in good order.
Is GDPR just about personal data - how you collect it, how you store it and how it’s being updated?
No, it’s also about the security of personal data and who you share it with. You need to be able to prove that you have appropriate technical and organisational measures in place to ensure personal data is kept safe, encrypted and backed up and make sure you provide the necessary on who the data is shared with and, in particular, any transfers outside of Europe.
You are also required (in certain circumstances) to provide an individual with their personal data in a structured, commonly used and machine-readable format or, if requested by the data subject and technically feasible, transfer this data to another service provider (even to your competitor).
Under the GDPR rules, an individual also has the right (in certain circumstances) to request that you stop using their data for some types of processing and/or to be removed from your databases and systems.
What is the difference between a controller and a processor, and does it matter?
It's vital that you understand which category you fall into, to ensure GDPR compliance.
- A controller is the person/authority/agency/body which determines the purposes and means of processing personal data.
- A processor is the person/authority/agency/body which processes personal data on behalf of the controller.
Within your organisation, you will almost certainly be the controller for some types of data and are most probably dealing with multiple processors and sub-processors. You need to make sure that written contracts are in place, that your processors have appropriate security measures in place and that you know what activities your processors are undertaking on your behalf. GDPR stipulates that such agreements must include a number of specific provisions.
Who in my organisation is responsible, at an operation level, for addressing GDPR compliance?
As discussed, it's important to remember that examples of data holding or processing can be found in various areas of your business. For this reason, GDPR compliance is the responsibility of all departments, as personal data could be held in various formats and locations, although ultimately the responsibility will sit with the senior management and directors. Depending on the type of the organisation and business activities, a Data Protection Officer (DPO) may also have to be appointed. Further information on the requirements for a DPO can be found at the ICO’s Guide to the GDPR.
What are the risks of not taking proactive action to ensure compliance?
Burying your head in the sand or just hoping that GDPR will pass you by are simply not approaches you can afford to take. Firstly, with a name-and-shame mechanism for breaches, there is the clear threat of reputational damage. And with maximum fines of up to the greater of 20 million euros or 4% of the group's annual global turnover, it's imperative that your company takes action and has processes in place that align with the new regulations.
We have put together an action plan to get you started with GDPR. Check it out here!
We have put together our brand new guide on GDPR fines where you will be able to read in detail about the breaches that could lead to fines and what you are responsible for.
If you would like further information on how Vaimo can help you on the road to GDPR compliance in respect of your e-commerce and omnichannel activities then please contact us.
The information given in this article concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Vaimo assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information.