What is the GDPR?
GDPR is an EU regulation, and it has two main purposes, protecting the individual’s right to privacy and their right to have their personal information kept safe. The GDPR will affect all organisations that in some way process or handle personal data, apart from a few exceptions, such as law enforcement agencies.
A lot of companies are stressed about GDPR at the moment – what’s the best advice you can give those who are working to become GDPR compliance?
Keep a record of data processing activities
Document everything the organisation does with personal data. You should even specify the purpose of data processing, what type of personal data that will be processed and how long it will be saved for (Requirement 30). Today it is common that processing activities, such as payments, are made using systems and companies might therefore choose to document data processing according to system. However, it is important to realise that the activity itself should be the focal point, and it might be wise to instead split some systems, such as CRM-systems, into different records documenting the different activities. Download our free template here.
Evaluate the routines that are in place for the erasure of personal data
It is very important that the organisation has a purpose for storing and processing personal data. If there is no purpose you should remove the data. You shouldn’t store data simply because you don’t have the energy to establish a new routine for data removal, or because there might be a minimal chance you might need it in the future. Those excuses will no longer work. However, the deadline for removal of data does not always have to be stated as: ‘’the personal information will be deleted after 1 year…’’ It can be formulated so that you instead state that the personal data will be removed once the purpose has been fulfilled. As an example, ”When temporary employees become permanent their credit reports will be deleted from the HR-system…”
Create an IT policy with GDPR in mind
If the organisation doesn’t already have an IT policy with special focus on GDPR, it’s time to create one! GDPR will require organisations to have routines and policies in place to protect personal data, as there, among other things, are specific requirements regarding incident handling and breaches involving personal data.
Which information regarding an organisations handling and processing of personal data does an individual have the right to see?
At the time of data collection, the individual has the right to know, among other things, what personal data is being collected, the purpose of storing the data and if the data will be transferred to a third party. This is specified in a privacy policy. In certain cases, individuals are also entitled to obtain copies of the personal data that is being stored. It is therefore important to consider how to handle information written in, e.g., free text fields in CRM and support systems.
What do you think is one of the biggest misunderstandings regarding GDPR?
I think the biggest misconception is that some believe that huge sanctions will be issued for even the smallest personal data mishaps. The punishment will be proportional to the crime. The reason for having a maximum penalty of € 20,000,000 or 4% of global sales is to convey a message to the biggest players like Facebook and Google, who handle huge amounts of personal data.
How strict is the right to be forgotten? Can you store information even if someone wants to be forgotten?
I have noticed that the requirement is not at all as strict as some thought it would be. There are many exceptions to the rules. The most important thing is that organisations need to have a good reason for why they have to keep personal information about an individual, for example because of legal reasons or archival purposes as statistical data. The registered has the right to have their information removed if the processing is no longer necessary, for example if the registered has withdrawn his or her consent, or when no longer using services like Facebook or e-commerce sites.
So, what do you think organisations will be penalised for?
For not having enough documentation, policies, or routines adapted to GDPR in place for the processing of personal data. Invest time and energy into documenting data processing activities, re-write data processing agreements and vendor agreements, write an IT-policy that is adapted to GDPR, and educate staff about these new routines and processes.