By: Boris Kontsevoi, Founder and President, Intetics, Inc.
It’s Safe to Say GDPR Has a Worldwide Impact on How Companies Will Handle Data Protection
With the new General Data Protection Regulation (GDPR) now in effect in the European Union, discussions on how to achieve compliance is one of the hottest topics right now. Intetics shares its experiences on being fully compliant with the new privacy laws.
About the Legislation
Generally speaking, the main goal of the new legislation is the protection of freedoms and rights of all individuals that are located in the territory of the European Union regardless of their citizenship. It builds on previous pieces of data protection laws and presents a more thorough approach to the issue. GDPR takes into account the accelerating world of international e-commerce and offers a more detailed and up-to-date set of norms for handling personal data of a company’s client base.
In many aspects, General Data Protection Regulation shifts the way we handle data and most importantly grants new powers to data subjects. It’s necessary to emphasize that GDPR covers the protection of data of all individuals that are located in the European Union. In practice, that means that every company that collects data in the European Union must comply with the regulation, even if the company itself is not present in the EU.
Given the circumstances, it’s safe to say that GDPR has a worldwide impact on how companies will handle data protection. It’s also worth mentioning that the expected penalties for those who won’t comply with the GDPR are rather impressive – the maximum penalty equals 20 million euros (about $25 million) or 4 percent of annual worldwide turnover, whatever is larger.
As such, every company should develop a cohesive risk management strategy and, most importantly, a compliance plan. A compliance plan is an essential part of a smooth transition that enables you to tackle all aspects of transformation in accordance with the requirements. It minimizes the risk of misconceptions and organizes the process in a comprehensive and achievable timeline.
Below are the lessons our company learned during our journey to become fully GDPR compliant:
1. Learn the Terminology
The General Data Protection Regulation is a legal document, which means that it is written using specific terminology that we most likely don’t use on a day-to-day basis. The body of the legislation consists of 11 chapters, 99 articles and nearly 200 recitals. Needless to say that it is fairly lengthy and complicated, and requires certain preparation from the reader. To make understanding it easier, here are some main terms used in the regulation.
- “Personal data” – refers to any information relating to an identified or identifiable person. An individual can be identified by name, an identification number, location data or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- “Controller” – describes any actor that determines the purposes and means of the processing of personal data.
- “Processor” – symbolizes a third party (vendor) that analyzes data in ways approved by the controller. It is controller’s responsibility to ensure that vendors they work with stick to the rules of the regulation. In cases that vendors do not reflect the standards of GDPR, it is the company’s responsibility to cooperate with them.
- “Data subject” – refers to an individual whose personal information is being processed by controllers and processors. GDPR aims to protect rights of data subjects that are located in the European Union.
2. Ask for Consent
In order to ensure that the data processing is lawful, data subjects are asked to give consent to the usage of their personal information, unless the processing is necessary for compliance with a legal obligation, protection of interests of a data subject, performing a contract with the data subject or achieving the legitimate interests pursued by a controller or by a third party.
3. Know Your Rights
The regulation introduces some new and enforces already known rights of data subjects. From now on, individuals will have significantly more knowledge and power to control personal information shared with the companies.
For instance, data subjects have the “Right to Rectification” or the “Right to be Forgotten.” Practically, this means that at any point in time, an individual has the right to contact the company and ask to delete or change his or her information. According to the legislation, data must be modified or removed immediately, no longer than within a month upon the request of an individual. However, the Right to be Forgotten can be executed only if it does not contradict the legal system of data processing of a given country.
Individuals will have the power not only to withdraw consent to use their data, but to move it elsewhere. The “Right to Data Portability” enables customers to request a data transfer to a different controller. Basically, a customer can ask your company to transfer their data to a different company which might be a rival.
Some changes are introduced to the norms of notification. In case of a personal data breach – unauthorized disclosure of any data by a third party – an individual must be immediately notified. According to the GDPR, data subjects should be instantly notified about the loss or disclosure of any type of their personal information if it’s expected to put the rights and freedoms of a data subject under risk.
4. Create a “Data Map”
In agreement with the regulation, all controllers should comply with a data minimization strategy, which dictates that companies are supposed to collect only necessary data to perform their services and reach an agreement with the processor to destroy data as soon as the specific task is executed.
Companies have to demonstrate the conscious ways in which they handle data. Every question that customer surveys contain should be justified and its purposes explained. Most importantly, a company should be able to present data protection methods that are used for ensuring data safety. Those include data encryption, usage of secure storage services and so on.
Creating a “data map” is an easy way to keep a record of processing activities. The map could be created with the help of specific software or simple graphic editors. Data maps are especially advised when it comes to working with client’s personal data. It is important to include information about who in the company has access to specific data and at which stage of the processing. Mapping of data also helps to classify it as sensitive, confidential or public and track its flows. An important part of any map is monitoring cooperation with vendors as it is a company’s task to check that vendors also comply with GDPR and process data in accordance with your agreements. List of processors and details of agreements in order to easily review them should always be within your reach.
5. Do it Smart
It is always better to start the process of GDPR compliance with something simple. The best idea is to transform and improve your company’s current data protection policies than invent new ones from scratch. Begin by auditing current process of data collection and review it according to the new regulation. All units of the company should be involved in the transition. Conducting educational and awareness training will teach employees to recognize data protection flaws and react to them.
General Data Protection Regulation is a complicated legislation and it would be difficult to guarantee that all its criteria are met without proper legal advice. Thus, hiring an expert with knowledge of data protection in the field your company is working in will be helpful in balancing the process.
After all, the more secure your company is, the more data your customers will willingly share, making your marketing campaigns precise and efficient.
About the Author: Boris Kontsevoi is a technology executive, founder and president of Intetics, Inc., a software development company based in Naples, Florida. Intetics is focused on the creation and operation of effective distributed teams for application development, systems integration, GIS solutions and back office support. Kontsevoi has over 20 years’ experience in software development and IT project management. He has completed the Certified Outsourcing Professional (COP) Master Class and has been awarded the Entrepreneurial Excellence Award (2009) by The Business Ledger (Daily Herald) and Gamechanger of the Year (2017) by ACQ5.