Personal data management
soon becomes even more exciting…
What does GDPR mean for your business?
Personal data must be processed lawfully and be collected only for specified, explicit purposes. Collected data has to be minimised, accurate and kept up to date. It needs to be processed in a manner that ensures appropriate security and protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.
The new accountability principle requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. You are expected to put into place comprehensive but proportionate governance measures. These measures should minimise the risk of breaches and uphold the protection of personal data.
In case of a data breach, Company will have to notify the supervisory authority and the affected individuals within 72 hours from the breach occurrence. Such a scenario might result in fines up to 20 million EUR or 4% of their annual turnover, which the Company would have to suffer.
Data Protection Officer is a new role that will be introduced into the Company’s organizational landscape. Some of his responsibilities will be to
manage Company’s policies for handling personal data, raising level of consciousness about the need for protecting personal data and providing quality assurance.
What does GDPR mean for an individual?
An individual takes back complete control over his personal data which is being collected by business subjects. The purpose of this process is establishment of a better relationship between an individual and Company, based on trust and transparency regarding personal data usage.
All personal data processing activities must have a lawful basis. Consent is one of six lawful basis and under GDPR consent definition must be clear, unambigous and specific, and given consents should be easy to revoke.
The individual has the right to ask for insight into personal data and how it is being processed – which is called Subject Access Right. Customers are also now enabled to ask for their personal data package to be „ported“ to another service or goods provider – which is called Data Portability Right.
Individuals will have the right to demand that companies erase all their personal data for which there is no convincing reason to continue with processing. It is not absolute because there are legal limitations to erasure and it is crucial to understand lawful basis for processing. This right
applies when individual’s personal data is no longer necessary for purpose fulfilment.