So, what is GDPR? It stands for General Data Protection Regulation and it’s a major buzz-word in 2018. It’s a new regulation being enforced on May 25th 2018 that’s changing the way personal data is being treated for everyone within the European Union. More precisely, the way this data is being collected, stored, processed and kept. Under GDPR every organisation is bound by law to protect all personal data, including user and employee data and to take actions prescribed by the regulation.
What does this mean for businesses?
While a lot of this GDPR talk may sound complicated and much too legal for most people’s taste, there are a few key points that are quite easy to take in.
How to process data?
Personal data will have to be processed in accordance to the regulation and collected only for specific purposes. These purposes, such as direct marketing for example, have to be clearly stated and transparent.
Every organisation, no matter where their HQ is located will have to adjust to GDPR if they process personal data of European Union’s citizens.
In case of detection of data misuse the company is obligated to inform the Regulatory agency on that matter within 72 hours. This can also include individuals whose data has been misused if deemed necessary.
How to store data?
New principle of responsibility requires a company to prove its compatibility with all parts of the regulation and clearly inform users that they have the ability to manage their data.
It is expected to ensure all possible means of management – means that minimise risk of abuse and protect personal data.
What needs to be stated when processing data?
The companies will now have to abandon the conventional states of agreements in forms of tick boxes placed under huge chunks of text that just say “I agree” and will now have to adapt to agreements as an organic choice controlled by the user. In other words, this means that the user gets to intervene at any given moment.
What is a Data Protection Officer?
Someone who is appointed as a person in charge of handling company policy on personal data collection and raising awareness as well as ensuring data protection quality is called a Data Protection Officer. Every organisation that deals with personal data collection will have to have a DPO in charge.
What about the users?
Here is a preview of some of the rights a user (also referred to as the Data Subject) has at their disposal:
Right to access – the user has a right to an insight on how their personal data is being used and for which purposes. According to eugdpr.com this is a right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. It’s being called a “dramatic shift to data transparency and empowerment of data subjects.”
Right to a correction – it’s a right to request to edit of incorrect data as well as to fill in incomplete data by filing a statement.
Right to be forgotten – also known as Data Erasure, it grants individuals a right to ask organisations to delete all of their personal data for which there are no explicit reasons to be further processed. This means that the organisations only get to keep the data they truly need to be able to provide their service. There are however legal boundaries for data erasing and it is important to know and recognise legitimate reasons for taking this action.
Right to limit processing – in certain situations (for example in case of data accuracy being questionable) a user has a right to request a limitation in processing with exception of storage and a few other actions.
Right to data portability – a user has a right to obtain their data in a commonly used and machine readable format to be transferred to another service provider (also referred as a controller).
Right to an objection – for example, a user has a right to object to their data being used for purposes such as profiling.
There are 2 kinds of breaching scenarios. In some cases, such as breaching obligations of a processing executive there is a prescribed fine of up to 10 million euros or 2% of income on the global scale.
In others, such as data transfers to third-party countries for an example, there is a maximum fine of 20 million euros or 4% of income on the global scale, depending on which is more.
So what do you do now?
For users, this is all good and great but as a responsible manager, what do you need to do next now that you know about the upcoming changes? There is a great guide on knowhownonprofit.org about the steps you need to take to make sure the transition goes smooth:
Make sure the right people in your organisation know this is coming – it may seem obvious, but it is vital.
Identify what data you hold and where that data came from – this means all personal data including employees and volunteers, service users, members, donors and supporters and more.
Update your privacy notices
Be precise, be clear, make it easy to understand.
Check if your processes meet individuals’ new rights
Prepare your process for different scenarios that come with GDPR. Simulate having a user who all of a sudden wants their data erased and test the scenario. You want to be able to fetch that data.
Know how you will deal with ‘subject access requests’
Make sure you can provide the data within a set period of a month in a conventional format. For more information on this, knowhownonprofit.org recommends this guide to GDPR.
Identify and document your ‘lawful basis’ for processing data
Consult with your legal department.
Review how you get consent to use personal data
Gone are the days of tick boxes and tacit agreements. Consent on personal data use has to be clear and transparent.
Build in extra protection for children
Depending on local laws, children under certain ages cannot give consent.
Get ready to detect, report and investigate personal data breaches
Make sure you have the means to detect, investigate and report a personal data breach.
Build data protection into your new projects
This is something that has always been practised by most because it’s good business, however now it is a legal obligation.
Decide who will be responsible for data protection in your organisation
Appoint a DPO.
Get up to speed on data protection and fundraising
In case you use personal data for these purposes.
Further read (as if this was not enough)
Here are a few good sources to get further insight into GDPR:
EUGDPR – official GDPR portal
GDPR and Beyond – online media hub
Knowhownonprofit – the e-learning community