We can say that the process of implementation of the General Data Protection Regulation (GDPR) principles is an ongoing thing. For an inconversant bystander, it may look like nothing much changed after 25 May 2018. However, there are slight improvements that are pointing to the course of the process.
Most notably, in general awareness of the compliance challenges, knowledge about good and bad practices, and on a larger scale, the fact that different countries across the globe realized the urgency of passing laws similar to the GDPR.
This means that supervisory authorities are getting stricter with fines, and the public, in general, is getting a better feel about their rights and how to exercise them.
For businesses, this means that you will have to deal with more knowledgeable costumers and implement a number of data privacy and data security measures. The term privacy is a new strategic vision of any company that wishes to keep its customers.
Data protection principles
Personal data must be processed lawfully and be collected only for specified, explicit purposes. Collected data have to be minimized, accurate and kept up to date. It needs to be processed in a manner that ensures appropriate security and protection against unauthorized or unlawful processing, accidental loss, and destruction or damage, using appropriate technical or organizational measures.
Six principles for processing of personal data
1. Lawfulness, fairness, and transparency
The GDPR states that you must inform an individual of any personal data processing in a timely and understandable way. Using easily understandable language. There is a mandatory list of information that needs to be disclosed to an individual prior to the processing of his personal data.
2. Purpose limitation
You must only collect personal data for a specific, explicit, and legitimate purpose. You must clearly state what the purpose of collecting is, and collect data only for the time that is necessary to complete the purpose.
3. Data minimization
You must ensure that the personal data you process is adequate, relevant, and limited to what is necessary in relation to your processing purpose. Put the data minimization principle in practice on your data collection points and make sure the data subject is notified of who collects data, how is his/her personal data used, how long will you keep the data, and are there any third-parties included in the processing.
You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
You must delete personal data when you no longer need it. The time scales, in most cases, aren’t set. They will depend on your business’ circumstances and the reasons why you collect this data. We strongly recommend you download our eBook that explains in detail how to orchestrate a GDPR compliant data removal and how to create data retention policies.
7. Integrity and confidentiality
You must keep personal data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The General Data Protection Regulation integrates accountability as a principle which requires that organizations put in place appropriate technical and organizational measures and be able to demonstrate compliance to the supervisory authority.
Accountability principle requires you to demonstrate compliance with the GDPR and explicitly states that this is your obligation. You are expected to provide comprehensive but appropriate measures. Measures that minimize the risk of misuse and protect personal information.
This measures can include:
• keeping appropriate documentation on what personal data is processed, by whom and for how long
• keeping compliant Records of processing activities
• introducing internal procedures for the GDPR processes
• appointing Data Protection Officer or documenting internal analysis of whether you need to appoint a DPO or not, so you can demonstrate that all relevant factors were taken into account
• introducing appropriate IT measures and systems for processing, managing and protecting personal data
A data breach is a security incident in which information is accessed without authorization or unintentional information disclosure. A personal data breach can be:
• Access by an unauthorized 3rd party
• Changing the data without permission
• Action or inaction by controller or processor – deliberate or accidental
• Sending data to the wrong recipient, etc.
In case of a data breach, the company will have to notify the supervisory authority and the affected individuals within 72 hours of the breach occurrence. Such a scenario might result in GDPR fines up to 20 million EUR or 4% of their annual turnover, which the company would have to suffer.