This article outlines the benefits, as well as the obligations that the GDPR bestows on an organisation, and how it can approach fulfilling those obligations by May 2018.
The GDPR increases the rights and privileges of EU citizens over the privacy of their personal information. It also increases the obligations on those responsible for processing personal information.
It comes into effect on 25 May 2018 and the time has come to start preparing for it, if you wish to avoid having your organisation bathed in the warm glow of the scrutinizing spotlights of the Data Protection Commissioner, the authority responsible in Ireland for monitoring application of GDPR and exercising restrictions and penalties.
If somebody had told me a decade ago that I would develop an interest in the topic of ‘data’ I would have laughed ..or cried, depending on how I felt at the time. Data meant figures to me, and I have always considered myself less than mathematically inclined. Data was for the accountants, not for me.
Fast forward ten years and that somebody has been proved right. The contemporary subject of protection of personal data with regards to the GDPR I find compelling. These new regulations bring with them a sense of regaining control over the hold that our information society has on our personal information. There is also the agreeable promise of a framework in which organisations can prosper, while acting lawfully, fairly and transparently with regards to personal information.
With less than eight months remaining to carry out the investigation, documentation, communication, negotiation and fortification required to meet the GDPR requirements, it should be on the agenda of all your management meetings from this day forward. Read on to find out how your organisation can get ready to harness the positive effects, and avoid any negative impact, of the GDPR by the implementation date in May 2018.
DOES YOUR ORGANISATION PROCESS PERSONAL DATA?
Under the GDPR, the term processing is used to describe the operations performed on personal data. All processing activities come under GDPR law. See the table below for a set of processing activities.
|ACTIVITIES DEFINED AS PROCESSING UNDER GDPR|
WHAT IS PERSONAL DATA?
Personal data is any information that could be used to identify a living person, called a data subject, either directly or indirectly. Here are some examples of such personal data:
|EXAMPLES OF PERSONAL DATA|
|Name||Medical information||Ethincity||Mobile device ID|
|Photo||Employment history||Religion||Other types of on-line identifiers|
|Email address||IP addresses||Financial record||Posts on social netowrking sites|
|Date of birth||Cookie identifiers|
|‘SENSITIVE‘ PERSONAL DATA|
|Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation (processing of this category of personal data is prohibited, except when specific conditions are met).|
Additional important terms to be familiar with are: the CONTROLLER of the data, which is the entity that determines the purposes (reasons for) and means of, the processing of personal data, and the PROCESSORwhich is the entity that processes personal data. An organisation may be both the controller and the processor.
When processing of personal data is outsourced, the processor processes personal data on behalf of the controller. In such instances, it is important that a CONTRACT is drawn up between the controller and the processor, defining the scope of the processing and the legal obligations and rights of each party.
Electronic and paper versions of records, policies and procedures are the tools that companies will use to demonstrate compliance with the GDPR. Here are some examples of the data sets that must be captured in company records regarding personal data:
PERSONAL DATA – WHAT THE COMPANY RECORDS NEED TO REVEAL
What personal data is being processed?
Why are you processing personal data?
How are you processing it?
Where is it being processed?
FIVE STEPS TO GET STARTED WITH BECOMING GDPR COMPLIANT
A HAPPY ENDING – ADVANTAGES OF GDPR FOR BUSINESS
Under GDPR, old and inaccurate company data will be deleted. Personal data will be held in an accountable manner, with maximum security controls, and staff will process the minimum amount of personal data needed for the company to operate. The result of compliance will manifest as a reduction in quantity, and an increase in quality of stored personal data, with less likelihood of data security breaches. For those engaged in EU trade, the need to deal with multiple data protection authorities will be eliminated, as the rules will be streamlined across the EU. Good news all round!
Any organisation that collects the personal data of EU citizens must comply with the regulations, even if that organisation is outside the EU. In your organisation, is the processing of personal data lawful, fair and transparent? What steps are being taken to maintain the safety, security, integrity and accuracy of personal data?
Under GDPR, each organisation must be able to demonstrate that it is accountable with respect to the processing of personal data. Documentation must be available to show how processing is undertaken and controlled. Preparation for compliance takes time. It would be wise to start implementing the GDPR in your organisation right away!
If you are still unsure about how to start, please contact us here at MCS InTegrated Solutions and our GDPR team will be happy to assist you.