GDPR is an European regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies and professionals dearly. Here’s what every professional that does business in Europe needs to know about GDPR.
Companies and Professionals that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.
Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.
The GDPR does not replace the confidentiality agreement (usually known as NDA) between the professional and the companies the professional works with. The GDPR takes care of personal data protection while the NDA is an agreement to avoid disclosure of any kind of information that belongs to the direct and indirect customers. An agreement with a given company will always have an addendum to guarantee confidentiality and, in most of the cases, another addendum dealing with GDPR requirements (or a request of declaration of GDPR compliance)
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
Indeed, even a professional translator, interpreter, reviewer, proof-reader, etc. which has a relationship with European Companies has to be compliant and be aware of the minimum requirements to be. This is because even the core business of those professionals is not based on personal data processing, they might come to process documents and information including this kind of personal data during the enforcement of the agreement between the professional and the Company.
Your GDPR Checklist
1/ Question: Have I all the necessary documentation to show my customer how I collect, store and process any personal data in a concise and simple way?
1/ Answer: Any data collection has to be accompanied with an information notice containing all the information requested by article 13. One of the new requirements for all of us is the need of using a simple and clear language.
2/ Question: Have I organized my professional activities in a way that I only collect and/or process personal data that are strictly necessary for my work and for the enforcement of the agreement I have with the Company?
2/ Answer: The general principles to adopt are exposed in articles 5 and 11.
To be noticed that the principle of the principle of data minimization means that: only relevant data for the enforcement of the agreement.Collecting or processing data beyond the enforcement of the agreement is considered abusive treatment.
3/ Question: Have I organized the conservation of documents relating to the various services in order they are always accessible but only to authorized personnel?
3/ Answer: Here the general needs for the availability and confidentiality of databases are combined. Their concrete translation is an orderly management of data and information – that is, paper files and digital folders – which keep their contents protected from prying eyes or from access by strangers, but which at the same time allows the owner to manage efficiently the activities
4/ Question: If applicable (I’m an agency or an associated study), have I appointed and properly trained my collaborators and have I also formalized the relationships with the professionals to whom I address for the management and development of the activities of the study?
4/ Answer: The entire ‘privacy’ organization chart of the firm must be involved in the data protection policy. It is an extensive organization chart, which includes the persons in charge (collaborators, practitioners, employees) but also those responsible for the treatments, ie external professionals who collaborate with the firm in various capacities (lawyers of other forums, accountant, job consultant, etc. ). Note that an appointment is required for the persons in charge, (Article 29)
5/ Question: Are my PCs protected from external threats? Do I have, in case of need, the name of a trusted IT technician to ask for the solution of specific problems?
5/ Answer: The reference is to the implementation of adequate software to prevent attacks or threats of various kinds and origins. In this sense it may be wise to rely on the expertise and experience of a professional.
6/ Question: Are portable PCs and other removable IT tools used in activities outside my workplace in order to minimize the risks of accidental loss, fraudulent subtraction and similar?
6/ Answer: The clear example is in the use of the USB pen: on top of a mandatory password protection of the pen, it is necessary to load / leave in the pen only the data that must be processed during the external session.
7/ Question: Do I perform a full backup of all data on a PC at least once a week?
7/ Answer: This operation is really fundamental for the data protection. In relation to the intensity of daily changes, it is recommended a higher frequency than the minimum one.
8/ Question: Have I defined a retention time for personal data in line with the purposes of the treatments?
8/ Answer: Even the professional is required, as any holder, to define the period of data storage (which cannot be stored ad libitum) and, moreover (new to the regulation), to make a special mention in the information notice (alternatively to the period of conservation will be sufficient to indicate the criteria used to determine it).
9/ Question: When I have to dispose of PCs, notebooks and other devices used for my professional activity, make I sure that there is no residual risk of exposing personal data during disposal?
9/ Answer: The so called ‘electronic trash’, when not managed, is unfortunate source of information to the detriment of the data subjects and with risks for the same data controller (see definition of data controller in the Regulation). It is a duty to refer to the provisions of the Regulation on this matter.
10/ Question: Have I taken the necessary measures for the physical security of my workplace, in the sense of taking measures or precautions reasonably to prevent unwanted access and actions that could affect negatively the confidentiality, availability or integrity of databases?
10/ Answer: The problem is always the safety of the processing. This time, however, it is assessed through the examination of the premises / physical places in which the activities of the professional are carried out. The “adequate” protection measures can vary according to the context (for example, a study located in a room inside a real estate unit where there are other professionals, study located on the ground floor of a condominium, etc