GDPR — HERE’S WHAT YOU NEED TO DO NOW
The European Union’s General Data Protection Regulation (GDPR) takes effect on 25th of May. The new regulation affects all companies processing or controlling personal data, in an effort to improve data security and transparency.
This blog provides information on how personal data needs to be processed and controlled under the GDPR. We also give hints about signing agreements with partners you are processing the data with.
What is the GDPR?
The GDPR regulation concerns all data transactions that occur within EU member states. It will come in force in May 2018, from which onward all data processing must be in compliance with the regulation.
The key principles of the previous national data privacy regulation will hold in the GDPR, but many new requirements have also been introduced. The aim of the new regulation is to empower data subjects and expand their rights while increasing the obligations of data processors and controllers.
When is the collecting and processing of data allowed?
Companies or organizations must identify the situations in which they are controlling and processing data. According to the GDPR, there are five approved ways to collect, control and process personal data:
1. A customer has given his/her consent to process data (with sufficient proof of customer consent, e.g. Privacy policy approval when entering a website)
2. Data controlling or processing is based on an agreement (e.g. transactions, purchase or sales, written contract)
3. The right to control or process data is based on law (authorities)
4. Data controller or processor is a public authority or performing a task with public interest (e.g. product recall)
5. Data processing is necessary for the benefit of a third party (e.g. a regular customer wants to black list their e-mail address)
In most cases, data collection can be justified on the basis of first, second or fifth clause.
The biggest problem of the first approved way is that the data subject (a person) has a right to withdraw the consent and have all data removed. This can cause additional work and costs for the company processing or controlling the data.
The most useful way to attain compliance with the GDPR Is provided in the 2nd clause. However, it should be noted that when data collection is based on an agreement, a company can use the data only for purposes stated in the agreement. Thus it is not allowed to use the data for e.g. testing or creating additional services.
Is our company a data processor or a data controller? What’s the difference between these two terms?
Data controller is an entity that determines the purposes, conditions and means of processing personal data. Data controller manages a register of personal data, which can be made up of e.g. customer data, purchase or sales data, website visitor data or regular customer registers.
By contrast, data processor is an entity that processes, collects, transfers, saves or erases data in practice. Generally speaking, the GDPR treats the data controller as the principal party of responsibility.
What rights do data subjects have and what kind of penalties can be issued for companies for breaches?
If a company or an organization violates the GDPR principles, it might lead to penalties, fines or actions for damages. The fines can be up to 4 percent of the company’s annual global turnover, or 20 million euros. The possible effects on a corporate brand, however, are immeasurable.
When a company follows the rules of data processing and documentation, the risk for liability is significantly lower in case of inspection. Protection of personal data must be sufficient, and the processing of data must be planned and documented well. Any breaches of data must be notified to customers in 72 hours.
Sensitive personal data — data related to religion, health or race — must be processed very carefully. Saving of transferring sensitive personal data must always be based on customer consent, which needs to be fully documented. Parental consent is required for processing personal data of children under the age of 16.
A customer or a data subject has the right to obtain information on how, where and why their personal data is being processed. If a data subject demands to view the data concerning themselves, the controller must provide it to them within 30 days. In addition, the data subject has the right to have their data erased, and they can withdraw their consent and deny the further use of their data.
Facebook found itself in the eye of the storm after the company had handed over customer data to political consulting firm Cambridge Analytica. CA used the data for targeting specific voters during the presidential election race between Hillary Clinton and Donald Trump in 2016 without users’ knowledge or consent. The GDPR outlines that if customer data is collected, a data subject has the right to know how it is being used.
I have a company and I’m processing data. What should I do?
The GDPR takes effect on 25th of May, which is why the companies handling data should take appropriate action without any delay.
Contracts complying with the GDPR requirements must be signed between partners that are transferring personal data. Initiating the signing can save time and a lot of paperwork, as the same contract template can be utilized among all partners. Taking the initiative also demonstrates that your company is taking legal requirements seriously and aiming to fulfill them as needed.
Before making the contracts, it is useful to arrange personal data in logical units or registers. The registers can be given appropriate attributes — e.g. customer data, website visitors, regular customers etc. You can also set attributes on how the data is used, how long it is stored for or what types of data security measures are used when the data is processed.
Subsequently, partners can be divided in groups depending on the nature of data transferred to them.
The GDPR contract must hold all relevant information on what kind of personal data is being transferred to whom and where, what is the reason for processing the data, how the data is being protected and how long the personal data is going to be stored for. If a subcontractor is processing the data, it must be included in the contract.
About Dealsign
Dealsign is an online service that makes negotiating, signing and managing contracts easy and fast for businesses of every size.
Handling the contract negotiations through the Dealsign service is excellent way to save time and effort from the contracting stream of your GDPR project.
Dealsign’s core innovations make it possible to negotiate with multiple parties online, in real time, with no worries about versions and change histories. Upload your own templates or negotiate based on templates provided by our partners.
We provide you access to contract templates and other documents provided courtesy of our global partner network of market leading law firms.
Make your contracts smart.
Teemu Marttinen
Dealsign, Co-founder
Read more about Dealsign www.dealsign.io
Read more about EU GDPR https://www.eugdpr.org/
