On May 25, 2018, the EU’s new General Data Protection Regulation (GDPR) goes into effect. “There are a number of questions organizations must ask themselves – and be sure to answer. Penalties of up to 4% of sales are nothing to play around with,” says Daniel Hjort, business developer at identity and security company Nexus Group.
GDPR applies to all organizations managing the personal information of EU citizens.
“The purpose of the new rules are to protect individuals’ privacy. Some laws also aim to make it easier for companies and organizations, but that is unfortunately not the case with GDPR,” says Hjort.
Moreover, it is not easy to grasp what the rules really mean for an organization since the law is extensive, complex, and contains a number of exceptions, according to Daniel Hjort.
“It is time for all organizations to begin to familiarize themselves with this law and its consequences. Most will probably come to the conclusion that living up to the new requirements is a greater challenge than apprehended,” says Hjort.
The main points of the new regulation, according to Hjort:
All individuals have the right to access the information your organization has registered about them.
“And it is up to your organization to ensure that you do not give out information to the wrong person when you receive a request,” says Hjort.
Your organization must be able to show what has been done with the information.
“You must also be able to demonstrate both who has seen it and who has had access to it,” says Hjort.
Your organization must always receive approval from the people you want to record data on.
It must be stated in plain language how your organization uses personal data.
The individual always has the right to request that the information you have registered is handed over to another party.
“The aim is to make it easier for individuals to switch suppliers. This gives your organization the opportunity to win customers from other suppliers, while at the same time risk losing customers to others,” says Hjort.
The individual has the right to have inaccurate information about themselves corrected.
The individual has the right to be removed from your records. This applies even if the person previously authorized the storage of personal data.
“And it’s not enough just to remove the information – you must ensure that there are no traces left behind,” says Hjort.
Questions all organizations must ask themselves – and be sure to answer:
- Do we have insight into the compensation levels that are associated with non-compliance?
- Does every part of our organization have the legal basis for the collection and use of personal data?
- Do we have procedures in place to be able to inform affected individuals and the supervisory authority within 72 hours after a data breach?
- How do we make sure we do not collect more information than necessary and that we do not save it for longer than necessary?
- How do we ensure that data collected for a specific purpose is not used for anything else over time?
- Is there a process in place to give individuals access to their information when they ask for it?
- Is adequate information security in place to protect the personal information we have registered?
- Are we sending sensitive personal data in unencrypted emails, and if so, how can we transition to a more secure form of communication?
- How do we handle the demands of cross-border data transfers?
- Are we handling personal data on behalf of other organizations, and if so, are we adhering to the obligations this entails?
- Do we have a process to delete personal information when individuals request it?
- Have we put aside enough budget to meet all the new requirements?
- Have we appointed a data protection officer and planned for their education?
- Do we also need an assistant data protection officer who can help our data protection officer make sure we follow the law?
Technical solutions that can help your organization follow GDPR:
The basic condition for the safe handling of personal data is the same as for all other security: trusted identities. If you do not know who or what you are dealing with it, does not matter how reliable your safety mechanisms are.
“Therefore, step one is to have a solution in place that allows you to maintain proper control of the identities of your employees as well as your customers, citizens, members and partners,” says Hjort.
Step two is to make sure your organization has the technical solutions in place to:
- Give your employees and partners the right access to personal data
Not everyone should be able to see and do everything.
- Offer customers, citizens and members the opportunity to interact with you in a safe way
All individuals should be given the opportunity to log in and identify themselves safely.
“User names and passwords are often not good enough. With technology for secure login, you can let the individuals themselves see what information you have stored about them, instead of them having to contact you to ask you to disclose data manually. You can also save time and reduce costs by offering digital signing for requests to remove personal data,” says Hjort.
- Communicate with encryption
- Instate traceability
You must be able to report changes in personal data and give information about who has done what and when.