Тhe General Data Protection Regulations (GDPR) came into effect on 25 May 2018 but some businesses are still not fully compliant. The regulations are designed to harmonize data privacy laws across Europe, protect EU citizens data and reshape the way organizations approach this data. It’s important to know about the changes, because non-compliance means heavy fines.
Almost certainly. Pretty much every business today has to deal with personal data, or at least maintain a customer database. Here at Evalato we want to make sure you are always well informed on things that concern your successful business, so we summarized the info for you.
First off, when it comes to the personal data of your customers, your organization can be a data ‘controller’, a ‘processor’, or both.
Controller refers to the person or business that decides what pieces of information are collected, for what purposes, and in what ways it’s being processed. According to EU law, the controller’s obligations include, but are not limited to:
An organization can be both controller and processor.
Processor is the person or business that processes personal data for the data controller, like data analytics providers, or storage services. If you, as a controller, are using two separate providers for such services, both of them are considered ‘processors’ of the same personal data. The requirements for processors include, but are not limited to:
The GDPR definitions can be difficult to translate into today’s complex business relationships. The important thing here is that the regulations apply to both controllers and processors, which means it concerns your business.
When it comes to your award programs in Evalato, the platform is a data processor because it collects and processes your customer’s data as part of the service we provide to you and your customers. You are still the sole owner of that data, we just store and process some of it – for example, to generate registration profiles, compile analytics data, etc.
Your award programs and applicants are in good hands, because data safety has been a cornerstone of our service since day one. What changed with the GDPR is that you have a responsibility to inform your applicants that their information is processed by Evalato(as a processor). You should do the same for any service that processes data for you in some capacity: inform people who and for what purpose accesses their data.
Although the key principles of data privacy still hold true to the old directive, there are some notable changes:
The biggest change is probably the extended jurisdiction of the GDPR. Starting 25 May 2018 the rules for data protection apply to all companies processing personal data of EU citizens, regardless of the company’s location. The GDPR also apply to the processing of personal data for EU citizens, where the activities relate to: offering goods or services (free or paid) to EU citizens, as well as monitoring of behaviour within the EU. Non-EU businesses that process EU citizens data are required to appoint a representative in the EU.
The conditions for consent have been strengthened as well. Companies can no longer use long Terms & Conditions full of legal language that’s hard to understand, to get a person’s consent to use their data. Instead, the request must be easily accessible and presented in clear and plain language. The purpose for data processing must also be attached to that consent. The consent must be clearly distinguishable from everything else and it must be as easy to withdraw as it is to give consent.
Data breach notifications are mandatory where a breach is likely to “result in a risk for the rights and freedoms of individuals”. Data subjects have the right to obtain from the data controller confirmation whether their personal data is being processed, where and for what purpose. Additionally, data subjects can receive the personal data they have previously provided in a ‘commonly used and machine readable format’ and transmit that data to another controller.
Data subjects also get the right to have their data erased by the controller, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or data subjects withdrawing their consent.
Privacy by Design is part of the legal requirements with the GDPR. This means the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, you have to implement appropriate technical and organisational measures to meet the requirements of the new regulations and protect the rights of data subjects.Controllers are required to hold and process only the data absolutely necessary for the completion of its duties (data minimisation). Additionally, they have to limit the data processors’ access to that personal data.
If your business is found to be in breach of GDPR you face a hefty fine. The maximum can be up to 4% of your annual global turnover or €20 Million, whichever is greater. The fines are imposed for infringements like:
If your business is a controller or a processor of data, which it most likely is in some capacity, and you’re not sure if you’re GDPR compliant, make the necessary steps to comply with the regulations as soon as possible. First, because you probably don’t want to get fined, second, because it’s always a good idea to improve your security measures, and third, applicants will appreciate knowing their personal data is well protected.