Тhe General Data Protection Regulations (GDPR) came into effect on 25 May 2018 but some businesses are still not fully compliant. The regulations are designed to harmonize data privacy laws across Europe, protect EU citizens data and reshape the way organizations approach this data. It’s important to know about the changes, because non-compliance means heavy fines.
Does this concern me?
Almost certainly. Pretty much every business today has to deal with personal data, or at least maintain a customer database. Here at Evalato we want to make sure you are always well informed on things that concern your successful business, so we summarized the info for you.
First off, when it comes to the personal data of your customers, your organization can be a data ‘controller’, a ‘processor’, or both.
Controller refers to the person or business that decides what pieces of information are collected, for what purposes, and in what ways it’s being processed. According to EU law, the controller’s obligations include, but are not limited to:
- provide clear information to your customers about the personal data you collect and for what purpose;
- protect personal data against accidental loss, unauthorized access, or unlawful processing;
- written agreements with processors that are given access to your customer’s data, that require them to act only according to your instructions and make sure they comply with all data protection requirements.
- informing the data subject within 72 hours of first becoming aware of a data breach.
An organization can be both controller and processor.
Processor is the person or business that processes personal data for the data controller, like data analytics providers, or storage services. If you, as a controller, are using two separate providers for such services, both of them are considered ‘processors’ of the same personal data. The requirements for processors include, but are not limited to:
- process data fairly, lawfully, and for legitimate purposes;
- implement all appropriate security measures to protect the personal data;
- informing the controller immediately of any data breaches.
- keep internal records of all data processing activities
The GDPR definitions can be difficult to translate into today’s complex business relationships. The important thing here is that the regulations apply to both controllers and processors, which means it concerns your business.
Your customer’s data and Evalato
When it comes to your award programs in Evalato, the platform is a data processor because it collects and processes your customer’s data as part of the service we provide to you and your customers. You are still the sole owner of that data, we just store and process some of it – for example, to generate registration profiles, compile analytics data, etc.
Your award programs and applicants are in good hands, because data safety has been a cornerstone of our service since day one. What changed with the GDPR is that you have a responsibility to inform your applicants that their information is processed by Evalato(as a processor). You should do the same for any service that processes data for you in some capacity: inform people who and for what purpose accesses their data.
Although the key principles of data privacy still hold true to the old directive, there are some notable changes:
The biggest change is probably the extended jurisdiction of the GDPR. Starting 25 May 2018 the rules for data protection apply to all companies processing personal data of EU citizens, regardless of the company’s location.
The GDPR also apply to the processing of personal data for EU citizens, where the activities relate to: offering goods or services (free or paid) to EU citizens, as well as monitoring of behaviour within the EU. Non-EU businesses that process EU citizens data are required to appoint a representative in the EU.
The conditions for consent have been strengthened as well. Companies can no longer use long Terms & Conditions full of legal language that’s hard to understand, to get a person’s consent to use their data. Instead, the request must be easily accessible and presented in clear and plain language. The purpose for data processing must also be attached to that consent. The consent must be clearly distinguishable from everything else and it must be as easy to withdraw as it is to give consent.
More power to the data subject
Data breach notifications are mandatory where a breach is likely to “result in a risk for the rights and freedoms of individuals”. Data subjects have the right to obtain from the data controller confirmation whether their personal data is being processed, where and for what purpose. Additionally, data subjects can receive the personal data they have previously provided in a ‘commonly used and machine readable format’ and transmit that data to another controller.
Right to be Forgotten
Data subjects also get the right to have their data erased by the controller, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or data subjects withdrawing their consent.
Privacy by Design
Privacy by Design is part of the legal requirements with the GDPR. This means the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, you have to implement appropriate technical and organisational measures to meet the requirements of the new regulations and protect the rights of data subjects.
Controllers are required to hold and process only the data absolutely necessary for the completion of its duties (data minimisation). Additionally, they have to limit the data processors’ access to that personal data.
Penalties for non-compliance
If your business is found to be in breach of GDPR you face a hefty fine. The maximum can be up to 4% of your annual global turnover or €20 Million, whichever is greater. The fines are imposed for infringements like:
- insufficient customer consent to process data;
- violations of the Privacy by Design concept;
- not having your records in order;
- failing to notify the relevant authority and data subjects about a breach.
GDPR Compliance Checklist ✅
- It’s important that you have a clear picture of your network, as well as what kind of data you control and who has access to it. Access to that data has to be highly restricted and monitored at all times to avoid unauthorized access.
- Check and assess the security measures you have currently in place, including technology, processes, and people with access to the data. If necessary, take additional measures to avoid data breach. Make sure you have ways to find an intruder in the system, re-trace their activity, remove them and block the vulnerabilities.
- This article is by no means extensive, it’s merely an overview of the GDPR. Ensure you’re thoroughly familiar and compliant with everything that’s in there. Review your privacy notices and make any necessary changes there as well.
If your business is a controller or a processor of data, which it most likely is in some capacity, and you’re not sure if you’re GDPR compliant, make the necessary steps to comply with the regulations as soon as possible. First, because you probably don’t want to get fined, second, because it’s always a good idea to improve your security measures, and third, applicants will appreciate knowing their personal data is well protected.