The purpose of GDPR is to protect EU citizens from privacy and data breaches in an ever-evolving digital world. This has lead to some pretty hefty changes in legislation and in what startups can and can’t do moving forwards. Below are the key points that affect business. We’ve done our best to get rid of the complicated jargon widely used.
Increased Territorial Scope – (Where you’re based)
What used to be a focus on companies based in the EU, the law now applies to any company regardless of location that processes personal data of EU citizens. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.
They’re big! Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. What’s also crucial to note is that it relates to both controllers and processors – meaning ‘clouds’ are not exempt.
In essence, consent must be clear and obvious. Not like the old days where big companies would hide consent in a big T’s and C’s form. It must be as easy to withdraw consent as it is to give it.
The People’s Rights:
If a breach happens that puts personal data at risk, companies have 72 hours to notify it’s customers without undue delay.
Right to Access
If a customer asks whether you’re processing their personal data, you have to tell them. Pretty obvious no? A copy of the personal data, free of charge, in an electronic format must also be provided.
Right to be Forgotten
Sometimes called Data Erasure, the right to be forgotten means that customers can request to be removed from a companies system and they must comply.
GDPR introduces data portability Any customer can request to receive the personal data concerning them in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
Privacy by Design
A Basically, companies are bound to only collect and process data that is absolutely necessary for them to operate. This is a bit woolly really. Where is the line?
Data Protection Officers
The DPO appointment is mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the Data Protection Officer:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.