European data privacy law and how it affects doing business in the EU
The General Data Protection Regulation (GDPR) has changed the way that businesses process data from EU citizens. If you are a business owner who collects, uses and/or stores data from EU citizens, then you need to be aware of GDPR and what it means for your business. In this article, we consider current European data privacy law and how it affects businesses. We will also provide advice to help you become and remain GDPR compliant.
What is GDPR and why was it introduced?
The General Data Protection Regulation (GDPR) was put into place in the European Union in 2018. Its purpose is to protect the data privacy of EU citizens. This means that GDPR applies to any business that collects or processes the data of EU citizens, no matter where the business is located.
GDPR means that businesses have to get permission from people before they can collect, use or share their personal information. Businesses must also tell people about their rights under GDPR and make it easy for them to exercise those rights. If people think their rights have been violated, they can file a complaint. Personal data must be collected and used in a way that is fair and secure.
The following are examples of when GDPR apply:
- Company processes the personal data of employees in order to pay salaries or track vacation days.
- Website collects users' IP addresses in order to prevent spam comments.
- Mobile app stores user location data in order to provide personalized weather information.
- Fitness tracker records heart rate and steps taken throughout the day.
- Social media platform uses facial recognition software to suggest friends or tags for photos.
Under GDPR, all of these activities would require compliance with GDPR unless an exception applied.
What is personal data?
All data that could be used to identify an individual is included under GDPR's control. This broad definition ensures that individuals have a high degree of control over their personal data. GDPR defines two types of personal data:
- Regular data is any information that can be used to identify an individual. This includes, but is not limited to, an individual's name, address, phone number, email address, identification numbers, online identifiers and social media username.
- Sensitive data is any information that could be used to discriminate, damage an individual's reputation, or pose a risk to an individual's safety. This includes, but is not limited to, an individual's race, ethnicity, political opinions, religious beliefs, health information, and sexual orientation.
How does GDPR affect businesses in the EU?
GDPR affects businesses in the EU in a number of ways. Firstly, businesses must process data in a way that protects the privacy of the individual. GDPR also requires businesses to provide individuals with information about how their data will be used.
Companies must obtain explicit consent from individuals before collecting, processing, or sharing their personal data. GDPR also gives individuals the right to access their personal data, the right to correct inaccurate data, and the right to have their data erased. These rights give individuals a high degree of control over their personal data and help to ensure that companies are transparent in their handling of this sensitive information.
What are the consequences of not complying with GDPR regulations?
GDPR is a complex regulation, and businesses that do not take the time to understand and comply with its requirements are at risk of penalties. Non-compliance with GDPR can result in fines of up to €20 million or four percent of global annual turnover, whichever is greater. Businesses that are found to be non-compliant will also be required to make changes to their practices in order to become compliant.
How do businesses become GDPR compliant ?
There are several steps that businesses can take to become GDPR compliant. These steps include understanding the requirements of GDPR, developing a compliance plan, and implementing security measures to protect data privacy. Some organizations require a very heavy approach, and for others it can be quite light. Seek sensible legal advice for your specific situation and use available tools to ease the process, such as the forever free version of Privacy Perfect.
According to GDPR, to be compliant companies should perform the following 10 tasks (which ones depend on the specific situation):
First of all, appoint a person responsible for overseeing GDPR compliance within the company. Formally this role is the Data Protection Officer (DPO). GDPR requires companies to appoint a DPO if they process large amounts of data, if they process sensitive data, or if their core business activities involve data processing.
Secondly, perform a Privacy Impact Assessment (PIA) for your current business and any new projects in order to identify any risks to the privacy of your customers or employees. The GDPR requires that these assessments take into account the type of data being processed, the nature of the processing, and the potential for harm if there was a data breach.
Develop policies and procedures
Third, develop GDPR policies and procedures. These policies and procedures should cover all aspects of GDPR, including data collection, transactions, storage, and destruction.
Fourth, train employees on data privacy and information protection.
Contracts with partners and contractors
Fifth, ensure GDPR compliance requirements in contracts with partners, contractors and service providers.
Maintain a register
Sixth, maintain a register of all processes that involve the collection, storage, and use of personal data. This includes keeping track of categories of processed data, purposes for processing it, as well as any automated means used like customer contact forms or website cookies. The processing register will include all of the data processors who are actually responsible for handling the data. In many situations, the data processors are supplier companies or business partners. Although, sometimes the owner of the data (the data controller) is also the data processor. The processing register must be readily available to the authorities upon request.
Ensure secure data processing
Seventh, take steps to ensure that all data is processed securely. This includes encrypting data, ensuring that only authorized personnel have access to it, and regularly testing security systems. Implement appropriate technical and organizational measures to protect computer systems and personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Some ways to protect your online presence include using secure passwords and being suspicious of any emails that look unusual, even if they come from a trusted source. One of the most common ways that hackers gain access to people's information is through malware carried via email. Processes to keep software up-to-date with the latest security patches also helps protect your business from ransomware and data theft.
Processes for responding to data breaches
Ninth, put in place procedures for responding to data breaches, such as notifying the affected individuals and taking steps to prevent future breaches. Data breaches can be devastating for businesses, both in terms of the damage to reputation and the financial cost of dealing with the fallout. However, it's important to remember that not all data breaches are caused by malicious hacking. In fact, many data breaches are the result of simple human error, such as an employee losing a laptop or leaving confidential information unprotected.
Transferring data outside the EU
Lastly, also insure GDPR compliance if transferring data outside the EU. One way to do this is to use standard contractual clauses, which are legally binding agreements between companies that govern the transfer of personal data.
Tips to ease EU data privacy law compliance
GDPR compliance can seem like a daunting task, but there are a few simple steps you can take to make it easier.
- Avoid collecting or using unnecessary personal data. If you don't need it, don't ask for it. Totally avoid the sensitive category of personal data unless your business depends on it.
- Use standard industry software whenever possible. GDPR-compliant software is widely available and can save you a lot of time and effort.
- Agree smart contracts. Smarter contracts can help you automate GDPR compliance by ensuring that only the data that needs to be shared is shared. Finally, keep your processes simple. GDPR compliance does not have to be complicated or time-consuming.
- Deploy a privacy statement on your website. A well-written privacy statement will include the types of data collected, how the data is processed, the rights of customers and how to contact the company. A privacy statement should be easy to find on a company website. The best place for it is usually in the footer of the website.
- Use a simple tool to register your business processes and their use of personal data, such as the above mentioned Privacy Perfect.
Get in touch today!
When it comes to data privacy, it's better to be safe than sorry. Complying with GDPR is an important step in protecting the data of your customers and ensuring that your business is operating legally in the EU. By following these simple tips, you can make GDPR compliance easy and painless.
Looking for more help with GDPR compliance? We can help with smart contracts and a simple public processing register. Register for our GDPR compliance assistance today!
GDPR Compliance Check
This company GDPR check is made for all entrepreneurs who process personal data. This is already the case when, for example, you keep billing data from your customers. The term “processing” is a broad term. It actually includes everything that can happen to data, such as: saving, viewing, passing on, encrypting, copying, moving, organizing, changing, using, distributing, and so on.
Data processing agreement (GDPR)
You need a processing agreement when you have personal data processed by an external party. This external party is also known as the processor. Consider, for example, an administration office that pays the salaries for a company, or the hosting provider that hosts a website. With regard to the content of the processing agreement, you can think of agreements about:
- the purpose of the processing;
GDPR Data Register
In the processing register you keep, among other things, what type of data you process for what purposes, whether it is passed on to other parties, how long it is kept and how you have protected the data. In many cases, the General Data Protection Regulation (GDPR) makes it compulsory to keep a processing register. Creating a registry is only the first step. The registry must be updated every time new processes are added or existing processes are changed.