Business Article on GDPR for Small Business Enterprises

What is GDPR and why was it implemented?

GDPR or Global Data Protection Regulation is a mandate governed by the European Union. It was implemented to protect the processing of personal data and the privacy of individuals living in countries belonging to the European Union. GDPR replaced the Data Protection Directive, and all applicable organizations need to be compliant with this framework, or else a fine of 20mn Euros or 4% of their annual turnover (whichever is higher) will be charged.

The main aims of GDPR are to -

• Re-assess the way organizations process the personal data of their customers
• Ensure that an individual’s fundamental rights are protected when processing personal data

GDPR Basics

In the GDPR context, personal data means information used to identify a person. E.g. an email address, a username, Biometrics, Identification Number, IP address, and Cookies.

In terms of data protection, the term ‘processing’ is inclusive of the following:

• Collecting
• Recording
• Cataloging
• Storing
• Adapting
• Retrieving
• Erasing

personal data belonging to an individual.

Two main parties known as the Controller and the Processor are involved in processing an individual’s details.

The Controller will be the person or organization that defines the purpose and methods of processing the personal data whilst the Processor would process such data based on the instructions and requirements given by the Controller.

A company can be GDPR compliant by meeting the following requirements:

1. The individual should freely give consent before the data is processed and should be able to withdraw the details at any time
2. If a data breach occurs, the customer must be informed within 72 hours. Failure to do so will result in the company being fined.
3. Transparency is vital. The customer should know what details and why it is collected. Upon customer request, the company should provide a detailed report on the data processed.
4. The customer has the right to request to delete the processed data.
5. Organizations must design data processing systems with maximum security protocols. Fines can be charged if data is not collected in a safe manner.

Application in the Sri Lankan context

GDPR is applicable to any organization that has customers based in a country belonging to the EU. Although GDPR is still new to Sri Lanka, it is important that affected companies abide by the given guidelines since it provides transparent engagement between the organization and the user in a monitored legal environment.

How to ensure the protection of processed client information when using a Third-party technology solution provider

If a company uses Third-party vendors that process client data, they too are responsible to be GDPR compliant.

Some organizations may appoint a Data Protection Officer (who is a public authority) when large amounts of data and regular monitoring are required.

In instances where new technology is implemented, a Data Protection Impact Analysis (DPIA) can be done. This is to test the level of the impact made by processing large volumes of personal data.

Apart from these, take the below steps to ensure compliance with third-party vendors.

• Create awareness and a thorough understanding of GDPR within the organization
• Identify and analyze the type of data processed by third-parties
• Conduct a risk assessment to determine the need for a Data Protection Officer
• Impose an NDA (Non-Disclosure Agreement) specifying the GDPR principles that need to be adhered to by the main organization and third-party
• Ensure that the technology provided by third parties follows the GDPR standards