GDPR COMPLIANCE
all your data processing complies with the General Data Protection Regulation principles, laid out in Article 5 of the Regulation.
It applies to all personal data that you access, view, or process in any way or form. From employees to customers' work emails, from codes and pseudonymized data until it can be reasonably considered anonymous. From internal systems to documentation management.
GDPR fines are high, up to 20 million euro, or 4 % of your yearly revenue, whichever is higher. You won't be fined for a data breach or hack out of your control. But you will be fined for your preparedness.
means
Data
Minimisation
No more data than necessary for your purpose should be collected and kept
Define a specific purpose and don't use the data outside that purpose
Accountability
Lawful,
fair,
transparent
Collect data only with a legal basis and be transparent about what you are collecting
Purpose
limitation
Define a specific purpose and don't use the data outside that purpose
Accuracy
Provide data subjects the possibility to make data accurate
Storage limitation
Define retention periods per type of data to avoid keeping data longer than necessary
Integrity and confidentiality
Secure data with appropriate security measures
Even though data protection obligations apply to every company and individual, in practice it means different implementation and documentation for one over the other.
For example, individuals should always make sure that they have received unambiguous consent from another individual before publishing someone else's personal information on social media, which can be a verbal form, while companies collecting sensitive information about minors or patients need to have a fair bit of documentation in order to show compliance.
GDPR
The GDPR applies, as a European regulation, equally to citizens in Europe, as well as companies situated in Europe, and companies based outside of Europe but collecting personal information from citizens in Europe. (This means not just 'Europeans' but also foreign people residing in Europe.)
Each European Member State has a Data Protection Authority office, which works as a data protection enforcement office. It can investigate and impose high fines on individuals and companies that are unlawfully collecting personal data from individuals in their Member State.
Personal data
GDPR is only applicable in instances where identifiable personal data is involved. This means any type of data that says something or relates to a data subject.
Pseudonymised data should be considered and protected as personal data since a chance remains that data subjects can be re-identified.
Additional protection measures should be taken (including the appointment of a DPO) when data collection exceeds over 2000 data subjects, and/or when data is related to religion, race, ethnics, political beliefs, union membership, genetics, biometric data to identify a person, health, one's sex life or sexual orientation.
Data life cycle
Data protection should be considered from the moment you want to collect any type of personal data to the moment you are going to delete it, remove it from your processing activity in any way or form, or want to subject it to another purpose. We must understand the principles when deciding the legal basislegal basis of data we process in conjunction with the purpose limitation, the actual activity, retention, storage and how it's implemented in practise.
Data protection must be ensured as 'privacy by design' and 'privacy by default'. When data protection principles are known and it is understood where to stop and ask for the correct guidance for risk assessments, privacy by design flows over into privacy by default.
GDPR Roles
To ensure data protection compliance, you should know what role you play and what roles others play per type of personal data. The role has consequently effect on (legal) responsibilities towards the data, data subjects, and data life cycle.
The legal roles within data protection are Controllers (the one deciding about what data shall be collected and for what purpose), Processors (the one following 'instructions' or acting on behalf of the Controller) and Third Parties, who are processing personal data, but outside the role of Controller or Processor.
To show accountability and understood where lays your responsibility, you must know which roles other parties play.
Security measures
GDPR speaks of 'technical and organisational security measures'. These measures stretch from security of the data itself, like pseudonymization and anonymization, to technical measures such as firewall protection, safe systems, integer malware, and organisational measures, like data access of employees, password policy, clean desk policy and GDPR training.
There is no point of having policies in place if no one knows about its content or can't follow them. Therefore, employees should be made aware of the company policies and should be trained about data protection.
It is recommended to have at least annually a full internal audit to check your systems and data protection governance.
Accountability
The principle of acounntability contains both your own as well as holding others accountable for data protection compliance. This is only possible if everyone, every party, understands its role and responsibilities.
Accountability can be witnessed in one's paper trail and documentation governance, but also in practice. In internal working systems where the DPO is part of the processing activities and staff is aware of its task and responsibility, guidance shall be requested when data protection counsel is (legally) required.
If we do not hold our partner accountable, we ourselves are not GDPR compliant. We must show we did our due diligence, as we promised fairness and transparency to our data subjects.