What does GDPR mean for your business?
We can say that the process of implementation of the GDPR principles is an ongoing thing. For an inconversant bystander, it may look like nothing much changed after 25 May 2018. However, there are slight improvements that are pointing to the course of the process.
Most notably in general awareness of the compliance challenges, knowledge about good and bad practices. And on a larger scale, fact that different countries across the globe realized the urgency of passing laws similar to GDPR.
Which means that regulatory bodies are getting stricter with fines, and the public, in general, is getting a better feel about their rights and how to exercise them.
For businesses that means that you will have to deal with more knowledgable costumers and implement a number of data privacy and data security measures. The term privacy is a new strategic vision of any company that wishes to keep its customers.
Data protection principles
Personal data must be processed lawfully and be collected only for specified, explicit purposes. Collected data has to be minimized, accurate and kept up to date. It needs to be processed in a manner that ensures appropriate security and protection against:
- unauthorized or unlawful processing and accidental loss,
- destruction or damage,
- using appropriate technical or organizational measures.
Six principles for processing of personal data
The GDPR promotes these data protection principles that relate to:
- Lawfulness, fairness, and transparency – GDPR states that you must inform an individual of any personal data processing in a timely and understandable way. Using easily understandable language. There is a mandatory list of information that needs to be disclosed to an individual prior to processing of his personal data.
- Purpose limitation – you must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what the purpose of collecting is, and collect data only for the time that is necessary to complete the purpose.
- Data minimization – you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
- Accuracy – you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
- Storage limitation – You must delete personal data when you no longer need it. The timescales in most cases aren’t set. They will depend on your business’ circumstances and the reasons why you collect this data.
- Integrity and confidentiality – You must keep personal data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
the General Data Protection Regulation integrates accountability as a principle which requires that organizations put in place appropriate technical and organizational measures and be able to demonstrate what they did when requested.
This principle requires you to demonstrate compliance with GDPR and explicitly states that this is your obligation. You are expected to provide comprehensive but appropriate measures. Measures that minimize the risk of misuse and protect personal information.
In case of a data breach, the Company will have to notify the supervisory authority and the affected individuals within 72 hours from the breach occurrence. Such a scenario might result in fines up to 20 million EUR or 4% of their annual turnover, which the Company would have to suffer.