GDPR – One month to go !
The EU General Data Protection Regulation (GDPR) becomes enforceable by law on May 25th. It will replace the Data Protection Directive 95/46/EC. The regulation sets out the rules for the processing of personal data and is “intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union ….and to the well-being of natural persons”.
Even though it is a lofty aspiration, businesses and organisations are expected to have the GDPR ingrained in their culture in such a way that it is borne out in practice. Enforcing it in practice are the data protection authorities of all the Member States of the EU. Protected by it are all the citizens of the EU.
If, for whatever reason, your organisation has not yet paid any attention to processing personal data in line with the rules of GDPR, this article aims to motivate you to start now, with less than one month to go, by explaining how you may be putting your business as well as those who hand over their personal data at risk.
Once you have a practical understanding of the what the GDPR aims to achieve, it will become clear why it is good for your business and why inaction is not an option.
TWO IMPORTANT FACTS ABOUT THE GDPR
The first thing to know about the GDPR is that it is designed to uphold the fundamental rights and freedoms of individuals as granted under EU Charters and treaties – among other rights, all individuals have the right to the protection of their personal data, the right to private and family life, home and communication, freedom of expression and information, the right to a fair trial and an effective remedy.
The second thing to know about the GDPR is that it is a risk based approach to data protection. You are expected to know what personal data your business collects, uses, stores and shares. You are also expected to assess the impact the processing of this data may have on the lives of the data subjects who provided the data. In other words, what risk or danger do your operations pose to the rights of individuals. The individuals may be your employees, customers, students, the public etc.
THE CONCEPT OF RISK AS IT APPLIES TO PROCESSING PERSONAL DATA
It is important that personnel in your organisation understand how the collection, use etc of personal data may pose a risk to the rights of individuals. And that those individuals have the right to information and to seek a remedy if you breach those rights.
The concept of ‘risk’ as it relates to processing of personal data is explained in GDPR recital 75.
“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to:
in particular, where the processing may give rise to
where data subjects might be deprived of:
where personal data are processed which reveal:
the processing of:
analysing or predicting aspects concerning:
where personal data of vulnerable natural persons, in particular of children, are processed; or
where processing involves:
To know if your business presents any of the above risks, you must have detailed knowledge of what personal data is processed by your business and how. This is the first, and possibly most challenging stage of complying with GDPR. It entails gathering information on all personal data the business has in its possession or outsourced to another. However difficult, it is both a revealing and rewarding exercise. So, it is worth thinking about how best to approach this data discovery step. It is explained a little in step 2 of the action plan below.
So now you understand better why the GDPR makes sense and is here to stay, know also that there is still time to gather a data protection team together and initiate a GDPR compliance plan for your organisation by 25th May. Follow the steps below and you should not feel infirm if you have a visit from the Data Protection Commissioner on 26th May.
A 10 STEP FAST TRACK APPROACH TO GDPR COMPLIANCE
Diagram 1. Flow diagram showing how personal data may be processed in line with GDPR
Diagram 2. Modified data flow mapping tool, original developed by Anthony Budd
Contact the GDPR Services team at MCS Integrated Solutions if you outside need help to get started with implementing the GDPR. We provide training, practical workshops, risk assessments and much more!
Sarah O’Connell at firstname.lastname@example.org
Jim Warren at email@example.com
John Anderson at firstname.lastname@example.org
Here is one of the many useful resources available on-line: