What does GDPR mean for Companies and Organisations?
General Data Protection Regulation (GDPR), when it was introduced by the European Union (EU) on May 25, 2018, heralded the introduction of a new set of rules and obligations for the management of the personal data of EU citizens.
GDPR seeks to put in place legal obligations to make sure that personal data does not fall into the criminal hands. If personal data is obtained, or even made accessible to, hackers they can do untold damage to the individuals affected.
AppropriateData Management & Processing Systems
Controllers must adapt a dedicated data management system with proper measures in place to comply with GDPR. GDPR brought in the concept of privacy by design where data protection measures are taken into account throughout the complete design process.
Certification can be obtained to indicate that a data management system is GDPR compliant from a local data protection supervisory authority.
Legally Compliant Data Processors
If data processing tasks are delegated to a processor and not a data controller then the processor must be deemed GDPR compliant before they are implemented for use in an organization.
Data processors include payroll companies, accountancy firms or a human resources agency. Any of these may sore or process personal information.
A legally-binding contract must be signed by the data controller and the data processor which states all of the necessary legal obligations.
Tracking Data Processing Activities.
If a company either has more than 250 workers ormanages sensitive personal information that it must maintain a record of all processing activities it carries out under GDPR rules.
This record must incorporate the name and contact details of the controller, the aim of processing, defined classifications of data subjects and personal data, the categories of data recipients, details of transfers to non-EU countries and relevant data privacy legislation of that country, data time limits and a description of the data security measures in place.
Safeguarding Personal Data
A security policy must be implemented that seek to keep personal data safe from accessibility. These must protect the personal data from accidental or illegal destruction of stored data or unauthorized sharing, access or alteration.
Filing a Report of a Data Breach
GDPR states that the relevant local data supervisory authority must be made aware of a data breach within 72 hours of the controller first identifying the breach. This is the case where the breach could endanger the rights and freedoms of the data subject(s).
Ongoing Data Impact Reviews
A data protection impact assessment must be conducted out by data controllers that hopes to run high-risk data processing. This data protection impact assessment must include an outline of the process and the reason for it, an assessment of the necessity of the processing, an investigation into the possible dangers to the rights and freedoms of the data subjects and a list of all of the steps used to address the stated risks.
Data Protection Officer (DPO).
A Data Protection Officer (DPO) must be hired/selected if an organization is a public body, has core activities such as monitoring of data subjects on a large scale or special categories of data are being managed.
If one or more of these conditions are in place than a DPO must be selected. The rules for appointing a DPO are:
- Whoever is appointed must have the correct professional experience and expert knowledge on data protection
- Teh appoint DPO can be an internal/existing member of staff appointed to the role
- The data supervisory authority must be given the contact details for the DPO
- Resources must be made available so the DPO can carry out their tasks successfully
- The DPO must have access to report to the higher levels of company/organization management
- The DPO cannot conduct any task/role that is in conflict with their data protection position
External Transfers of Data from the EU
Personal data that is being sent outside of the EU or to an international organisation when the EU has decided that the recipient country has the required level of data protection in place. Should the transfer to an unapproved country be deemed necessary then the data controller or processor must see to it that all appropriate security measures are active.