GDPR for dummies — Vol. 1.
GDPR. Christmas comes early this year as we have taken upon us to read 88 pages of lawyer nonsense and provide you with all the basic information you need to be prepared for when The General Data Protection Regulation enforces. During the coming weeks, we will present to you an advent calendar of GDPR-articles, with this being the first.
Step #1 — Learn the basics (The first of four steps to becoming GDPR compliant)
The potential impact of The General Data Protection Regulation can hardly be overstated. It has been called “a milestone of the Digital Age” and “the single most important change in privacy law for the UK and EU in the last twenty years.”
If you think that it does not apply to you, you are most likely wrong (Even employment contracts contain personal data that requires you to take measures). The first step towards compliance is realizing that you have to act and that the GDPR will have an impact on your workflow. That said, GDPR should not be that hard to implement. The law is complex and difficult to understand, but most companies only have to make minor adjustments.
During the next four weeks, we will guide you unto the easiest and safest road to compliance.
Realize that your GDPR compliance will not fix itself
Read the following to acquire basic knowledge (or read the whole thing right here)
Get started: Find out what kind of data you handle, how you handle it and why you handle it.
1) Important dates
GDPR was ratified in April 2016. After a two-year transition period, it will be enforced May 2018. That is when you have to be ready!
It is an extension of a directive from 1995. Back then no one had the imagination to envision the digitalized and data-driven world of today, so the GDPR is designed to fit for the digital age.
Note that GDPR is a regulation and not, as in 1995, a directive. A regulation is directly legally binding and not just a goal. It means that the European Nations does not have to pass GDPR by law.
2) The purposes of GDPR
1. It aims to protect all EU Citizen from privacy and data breaches. Generally, it provides individuals (technically referred to as data subjects) better control of their personal data. By strengthening data protection, EU hopes to reinforce consumer trust in the digital economy.
2. GDPR harmonises data laws across all European Nations to make the rules simpler and more transparent for business to operate in the European Union. This digital single market is estimated to save business €2.3 billion a year.
This is what you have been wondering about since the first paragraph, right? What happens if you do not give a damn? Well, the most serious infringements can be penalised with fines of up to 4 % of your global turnover in the preceding financial year or €20 million (whichever is higher).
Minor breaches of GDPR are not penalised as hard, but you can still get fines of up to 2 % of your global turnover in the preceding financial year or €10 million (whichever is higher).
4) Who does this apply to?
Everyone. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Data controllers are organizations that collect and determines the purpose of data. If you hire a person and concludes an employment contract with personal data such as name and bank details, you are considered a Data Controller.
Processors are organizations that process data on behalf of the data controllers. It could be a bank, a law firm or a cloud-based service storing the employment contract such as Contractbook.
So what is Personal Data? Technically it is: “any information relating to an identified or identifiable natural person.” It could be information like name, social security number, ID, location, bank details, photos, IP-address, cookies and even physical, cultural and social factors that make a person identifiable. One factor, such as name or social security number could be enough.
Note that the GDPR introduces an increased Territorial Scope which means that the law applies to all companies processing personal data of individuals residing EU. (= It does not matter if your company is located in Panama, the United States or North Korea).
Size matters (at least in this instance) as companies with more than 250 employees have to meet higher demands.
What should I do?
Since this is the first one, we will be easy on you with the homework.
Next week, we will continue with Step #1 — Manage Consent