General Data Protection Regulation (GDPR) is a privacy and data protection law aimed at guaranteeing privacy of all European Union citizens. The regulation will become enforceable on 25th May 2018 thus replacing the 1995 Data Protection Directive. One difference between the 1995 Data Protection Directive and GDPR is that it does not require approval from respective EU countries thus it’s directly binding and applicable across the whole block. Violating GDPR attracts a fine of 4% of the company global turnover or 20 million Euros whichever is greater. Such a fine calls for companies to assess their own data collection, processing and storage practices.
Is you company affected?
The territorial scope of GDPR applies to all the companies processing personal data of data subjects residing in the European union. This does not take into account company location, which has been termed as “extraterritorial” applicability. It’s worth noting a data subject refers to an individual whom data is about. This means if your company process (collects, disseminates or stores) personal data of data subjects residing in the EU, you need to be GDPR compliant.
What type of companies mostly process personal data?
Companies that process personal data belong to two broad categories:
- Data controllers – these companies collect personal data. They are normally first party companies. Example include Facebook, Twitter, Jumia.
- Data Processor – these companies processes data on behalf of data controller. A good example is cloud service companies and internet service providers (ISPs) like Amazon Web Services (AWS).
If your company is a data controller or a data processor and you are within GDPR territorial jurisdiction, you need to be compliant. It’s worth noting that for data processors, you may not be aware of what data your clients deal with which means to be safe, you need to be compliant.
GDPR Compliance Checklist
a) What personal data do you collect?
GDPR has changed what entails personal data. Before, personal data used to be only personally identifying data like name, email address, physical address and such. GDPR however, will require companies to afford the same level of protection to other data like individual IP address and cookie data just like they do to a name and an email address.
b) How did you collect it?
The issue of how your company collected the data dwells on consent. Did the data subject consent to their data be collected? Do you allow them to opt-in and opt-out? With GDPR, for instance if your company runs subscriptions for let’s say newsletters, you may have to unsubscribe all the the subscribers for them to opt-in afresh. Companies must explicitly make it known to the data subject why they need to collect the data and how they are going to process and use the data before obtaining consent. Under law, consent for children can only be granted by parents or guardians.
c) How are you storing it? Are you transmitting it outside EU?
With GDPR, companies must ensure that data is safely and securely stored. Is your company storing any sensitive data, do you need to encrypt it? Are you transmitting the data outside the EU or within? Is the data safe in transit? Under this, your company needs to be aware of the following:
- In the event of a breach, it’s mandatory to report the breach within 72 hours after becoming aware of the breach.
- Data subjects have the right to access their data and get a confirmation from your company if their data is being processed and for what purposes.
- Data subjects have a right to data erasure (right to be forgotten). This means that, a data subject can require your company to erase all the data you have about them, cease disseminating it and halt any third party from processing their data.
d) Does your company have capacity?
Depending on the size of your company, you may have to create a department dedicated to privacy and probably hire a data protection officer. You can as well outsource the services of a data protection officer. The data protection officer will be responsible for internal record keeping and should also raise awareness within the company about data protection and privacy.