Open in app

Sign in

Write

Sign in

5 things you need to know about the GDPR

A year has passed since the long-awaited — and feared — General Data Protection Regulation (GDPR) has been implemented. After spending days and nights reading an endless number of “How is GDPR going to impact your business” blog posts, you probably have a good idea what these four dreadful letters mean.

FundingBox
FundingBox Blog
5 min readMay 17, 2019

--

GDPR redefines at a European scale how personal data should be collected, stored and shared across every sector, from healthcare to banking and beyond, thus protecting your privacy as a citizen and regulating your data use as a company.

But 12 months later, it may be time for a quick assessment. Is your company now GDPR-compliant? If you understood correctly the five points to follow, you’re definitely on the right track.

1. What is Personal Data?

An easy one to start with, but are you sure you can enumerate the full list of what encompasses Personal Data?

Name(s) and surname(s) you say? Absolutely! But were you aware that an email address, IP number, and even a photo are personal data? As a matter of fact, they are. Therefore, a company fan page on Facebook involves data processing just as much as profiling your website’s visitors.

Following GDPR, personal data is “any information relating to an identified or identifiable natural person (“data subject”)”. In brief, the moment the information (“identifier”) you have at your disposal allows you to identify an individual, it’s personal data. For instance: “a name, an identification number, location data, online identifier or one or more specific factors specific to physical, physiological, genetic, mental, economic, cultural or social identity”.

2. To who is the regulation applicable and what does “processing” means?

The answer is simple — anyone who processes personal data belonging to European Union citizens for non-personal or domestic purposes should comply with the GDPR.

What does this mean?

  1. If you are an EU citizen and that you enter your neighbour’s number into your phone, send holiday cards, use a private account on a social network, or send emails to friends, it’s all good, you don’t need to worry about GDPR.
  2. It does not matter whether you have your headquarters in New York, Toronto, Sydney, Tel Aviv, or in Antarctica. If you are processing data of EU citizens ( for example, you run an online store and send your goods to the EU), you are bound by the provisions of the GDPR.

Now, what does “processing” mean?

Well, it refers to “any operation or set of operations which is performed on personal data or on sets of personal data”.

In practice, the list of potential operations is long. Be prepared.

It covers… :

  • Collection
  • Recording
  • Organisation
  • Structuring
  • Storage
  • Adaptation or alteration
  • Retrieval.

…But also… :

  • Consultation
  • Use
  • Disclosure by transmission.

…And not to forget:

  • Dissemination
  • Alignment or combination
  • Restriction
  • Erasure or destruction.

Therefore, data processors are, among others, firms, public entities (e.g. offices, universities, schools, hospitals), entrepreneurs (and the legal form is not important here), foundations, associations and more.

Bear in mind there is no difference whether or not the processing is done by automated means. You may write it down on a piece of paper, use a computer, mobile, CD and cloud infrastructure or tattoo the information on your chin, from the GDPR perspective, it’s all the same.

3. Who is the Personal Data Controller?

It is worth knowing who is your data controller as it helps to define your role in the whole data process.

Put simply, the data controller is the entity that determines what data is going to be processed, why it will be processed and how will be processed.

Do you run an online store? A fitness club? A kindergarten? A medical practice? A law firm? A beauty salon? Or simply have at least one employee? Then you can be 100% sure that you are the controller of your employees’ and clients’ data. And as a consequence, you ought to follow GDPR rules.

4. How to introduce GDPR?

You need to know that the GDPR has implemented a significant change in the approach we have to personal data protection by introducing privacy by design.

Each data controller must carry out, on their own, the analysis of the current processes and determine the risks in terms of data leaks. This not only involves internal processes but also the way they deal with data in their relationships with suppliers and clients.

Therefore, privacy should be by default implemented in the data controllers’ procedures.

5. The Data Subject’s Rights

The data subjects are the individuals whose personal data is processed. The picture of unscrupulous firms exploiting our most intimate information in the shadows may cross your mind but fear not: citizens have rights and data controllers have obligations.

So keep your ears open: most of the penalties imposed so far for violation of the GDPR have their source in the complaint of a dissatisfied data subject. So what rights do the data subjects have?

  1. The right to access data: Everyone has the right to ask the data controller what data the data controller processes. A full explanation within a maximum of 30 days is required. Asking a question should be as easy as possible and can not involve any fee.
  2. The right to rectify/supplement data: If the data subject determines that its data is incorrect or incomplete, he or she may request its correction or completion.
  3. The right to limit the processing: A subject can limit the scope of the data that is being processed if the data in question is not essential for the firm’s activity.
  4. The right to be forgotten: If you no more require the services of a company, you can request your data to be deleted.

Other rights such as the one to transfer data, object to data processing, not to be subject to profiling and to withdraw consent at any time also exist.

Do note that the aforementioned rights are not absolute (i.e. there are some exceptions). The authorities determine for each specific situation if the law must be implemented.

So now that you are aware of the main implications of the GDPR, it’s now a matter of implementation. But again, easier said than done and you still might be concerned about both technological and organizational practical aspects of it. SMOOTH is a European project supported by FundingBox and aiming to assist small companies in order to be GDPR-compliant. The idea is to provide you with user-friendly tools helping you being compliant and therefore safeguarding the interests of your clients, employees, suppliers on data privacy. You can join now the pilot programme of our cloud-based solution for GDPR compliance!

Privacy
Gdpr
Personal Data
Compliance
Data Protection

--

--

FundingBox
FundingBox Blog

Written by FundingBox

276 Followers
Editor for

#FundingGrowth. We are growth catalysts. FundingBox is the guide for any entrepreneur in the quest for growth. fundingbox.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams