GDPR and Your Company

Insight > Web Dev

GDPR and Your Company

Any business entity that processes personally identifiable data from the EU should implement compliance measures immediately.

The European Union’s General Data Protection Regulation (GDPR) is a regulation that compels businesses to protect the personal data and privacy of EU citizens. It also requires monitoring of data that is exported outside of the EU. Companies that fail to become GDPR compliant can face hefty fines of up to EUR 20 million or 4 percent of their total global revenue for the preceding fiscal year (whichever is higher).

GDPR should not be taken lightly.

GDPR compliance has become a pressing issue in recent weeks/months as Google lost major lawsuits for its deployment of Google Analytics. For this reason, we have prepared a 30-second self-assessment to determine your need for compliance and corresponding service levels.

Click here to take the self-assessment.

Things to consider for compliance

  1. Data that GDPR protects

    The regulation covers the protection of the following data:

    • Personal data that relates to an identified or identifiable "individual," for example:
      • Name, address, and/or ID numbers
    • Web data such as location, IP address, cookie data, and RFID tags
    • Special Category Information, for example:
      • Health and genetic data
      • Political opinions
      • Biometric data
      • Racial or ethnic data
      • Sexual orientation
  2. Being GDPR compliant is not easy

    Thorough planning is required, and several factors need to be considered. Some of these factors include:

    • The storage, transfer, access, and security of electronic information
    • Document retention schedules and their implementation
    • Written proof of compliance
    • Documentation pertaining to data protection
    • The type of data that is being stored and transferred
    • Incorporation of newly-created data
    • Data accessibility
    • Data content
  3. Data Protection Officer

    Under certain circumstances a Data Protection Officer is required. Part of their role is to follow a strict protocol to identify personal data that the company processes and ensure its protection under the guidelines of the GDPR.

  4. Data mapping

    It is impossible to ensure security if the DPO does not know the location or the content of the corporate data. If the data map for the corporation is incomplete, a discussion with the IT stakeholders of the company should be held. Going forward, collaboration between all business areas, IT, management, and the corporate legal department is very important for a comprehensive data management plan, which again is a significant step toward GDPR compliance. It should be noted that personal data possessed by third-party providers, including cloud service vendors or data archival companies, also comes under the purview of GDPR compliance.

  5. Understanding the content of the personal data

    Companies should understand the nature of the personal data that they are storing and not just identify where the data is stored. They should understand whether the personal data is legally binding by nature (like in contracts and in agreements) or what other legal basis they have for the processing of the personal data.

  6. Taking customer’s consent

    Consent of an individual is one of the bases for data storage and transfer. A company must provide clear affirmative statement by a customer, allowing the former to process and utilize their data. Similarly, an individual has the right to know where their data is being stored and how it is being processed. They also have the right to reprimand the company for storing inaccurate information, thus demanding correction or deletion. It is to be noted that consent is not the only basis to process personal data. Under GDPR there are six legal bases that can be applied to the processing of personal data, these are:

    • Consent
    • Contract
    • Legal Obligation
    • Vital Interests
    • Public Task
    • Legitimate Interests
  7. Sending security alerts

    It is important for a company to have adept technical support to avert data breaches. If there is any breach, it should have provisions to inform both the individual and the company. The company should be able to tell its customers specifically as to what was exposed. The GDPR introduces a duty on all organizations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.

  8. Monitoring data transfer

    GDPR lays great restrictions on personal data transfer. Corporate entities should have an enforceable plan to prevent unauthorized data transfers. Transfer of data outside EU should meet the GDPR requirements first. A series of queries pertaining to the content of the data need to be answered. If the data is extra sensitive, additional restrictions must be imposed. If needed, the permission for transmission can also be revoked.