Rights for citizens and constraints for companies: wanting to grant more privacy to its citizens, EU sets regulations for all the companies that store, process and use personal data. Starting with May 25th, 2018, using any personal data without prior consent could result in substantial fines. The EU Data Protection Regulation (GDPR – General Data Protection Regulation) replaces Directive 95/46/CE on Data Protection and it has been designed to harmonize data privacy legislation in Europe in order to protect and give citizens the right to privacy and to reformulate how organizations address personal data.
All you need to know about GDPR so to stay legally compliant with personal data regulations is:
GDPR comes into force starting May 25th, 2018 and it applies if your company is in the EU, sells products and services to EU citizens, or follows the behavior of people living in the EU.
Any personal data could be stored and processed only with the individual’s consent. Therefore, the right to collect personal data is conditioned by an affirmative answer to one of the following questions:
Do you have a contract with the person in this sense?
Do you do this to obey the law?
Do you try to save his/her life?
Do you represent the Government or any other state authority?
Do you have a very good reason that you can document?
Valid legal consent
The valid consent is legally taken into consideration only if the person expressing it makes a real choice, clear and affirmative, free, specific, informed and unambiguous. The consent is documented and easy to be given or withdrawn.
Data processing principles
The following principles justify the scope of GDPR and they serve as foundation for the legal processing of data.
Legitimacy: the above 5 questions have an affirmative answer
Limitation to scope: the reason why data is being processed is the only one in focus
Minimizing data amount: don’t collect more data than what can be justified through scope
Accuracy: do not alter data
Data storage limitation: delete data when you don’t need it anymore
Security: don’t lose or share data
Responsibility: document and prove your compliance with the above
Tips for citizens
Know your rights as an EU citizen and exercise them with confidence. If your personal data is being processed by third parties, then you have the right to access, modify, delete or restrict processing and the right to not be subject of any kind of user profiling activities.
Tips for companies
In practice, the above mentioned principles presume a series of actions. First of all, establish what, why, how, where, for how long and who processes data. Inform the people in advance and get their consent if you don’t already have it (ask for your Legal department’s help). Be aware of the rights that people have, because some of them might be new. Make sure that the data is secure and that you notify the person in charge with data protection about any security breach, if the case. Review Vendor Agreements*; you are responsible for their activity, too.
Inform the people when you process their personal data. According to GDPR, complete information should consist of:
Details about your company, the department interested in the personal data and the assigned DPO (the responsible person with data protection), including his or her contact details;
What is the scope and the base of your data processing activities? Are you under any legitimate interest and if yes, why?
Are you trying to profile the person? If yes, then how?
Who else will receive/ have access to data?
Do you plan on taking the data outside the EU?
How long will you keep the data?
What can an individual do about data processing and how? Please offer a contact address/email if the person wants to ask for deletion/modification of his/her data.
A company that works with contractors is responsible for their actions, too. Once GDPR comes into force, the contracts with vendors will have to include specific instructions, the vendors will also have to maintain data security, any security breaches should be reported and the employees should sign a privacy agreement. Data processing is forbidden without prior consent.
From warnings to administrative fines, prohibition of data export to other countries and withdrawal of certificates, contraventions imposed by DPA (Data Protection Act) are extremely severe. The value of fines varies between 10 – 20 million €, depending on the severity and amplitude of the violation.