Are you ready for GDPR?

The flag of the European Union. By now, you have probably heard about GDPR, but what is it really? And how do you prepare for it? Below I have tried to outline the new laws as easy as possible.

What is GDPR?

The General Data Protection Regulation (GDPR) is a ruleset that affect all companies handling data of people within the European Union. The rules will take effect on the 25th of May 2018. The fines for not complying is 4% annual turnover, or up to 20 million EUR, whichever is greatest.

To give you an overview, the rules contain following topics:

What is personal data?

Since the new regulation is mainly concerned about people's rights with regards to their data, we need to talk about what their data is. So, what is really the definition of this personal data? It is defined as:

Personal data means any information relating to a directly or indirectly identified or identifiable natural person.

That is quite a broad definition, so let's take a look at various pieces information. The most obvious personal data points are:
However, these more atypic pieces of information are also included as personal data:
Data is personal data when the information is so specific that it can be used to identify a specifc person. Either by itself, or in conjunction with other pieces of information. Here it should be noted that a few data points, in conjuction with each other, rather quickly can be used to identify a person. E.g. how many customers do you from a certain area, who is 50 years old, and is an accountant?

3 different roles

With regards to GDPR, there are 3 different roles.


A quick example of this could be my website. I have a newsletter that I gather e-mails for. I use Mailchimp for this, which make it possible to store e-mails and enables me to send out the newsletters. You (data subject) can sign up for my newsletter, and I (data controller) decide what information to collect and what happens to it. Mailchimp (data processor) stores the information for me.
As a data controller, it is my responsibility to make sure all of my data processors are GDPR compliant. This is done with a data processing agreement, and you need such an agreement for all your data processors.

Here are some of the data processors you may be using:
Check them all for GDPR compliance. Most of them already have agreements prepared for you, like Mailchimp's data processing agreement. If you can't find any information on their website, contact them.

When processing personal data

GDPR also states for what reasons you may process personal data. You may only process personal data for these reasons:


If the personal information that you process cannot be contained within one of the 4 categories above, you simply may not process it.

Right to gain access to stored information

The users are given the right to gain insight into what information you have about them. If they request it, you need to provide them with a full copy of all their data within 30 days.

The users can request the following:

Deletion of data

Citizens of the European Union will gain the right to be forgotten, which means deletion of data. You are required to delete any data that no longer serves a purpose. Furthermore, you are also required to delete data when consent is withdrawn, or it is requested by the user.
As an alternative to deletion, you can also anonymize the data. But this requires true anonymisation, so that the remaining information cannot be linked to a person. If it is still possible to link it to a person, you have only done pseudo-anonymisation, which is not good enough.

Conclusion

People in the European Union has gotten some much needed rights with regards to privacy of data. It is quite interesting to follow how this will evolve in the future.

The essence of GDPR is that you need to document a purpose for your data collection, and you need to ensure that it also gets deleted when it is no longer necessary. This was merely a brief walkthrough some of the key points of the regulation. If you store any information about your users, you need to make your preparations for the 25th of May.

Kommentarer

Der er ingen kommentarer.

Tilføj kommentar