Don’t be taken in by every offer or threat and be faced with high penalties

With the development of the digital area, which includes wide use of the internet, social media, smartphones and applications, as well as the digitalisation of practically all areas of our lives, the volume of collecting of personal data and the flow of information has dramatically increased.

The regulation needed to be changed due to the fact that, in today’s total information society, it is necessary to protect and provide people with the ability to control their personal data, as well as the need to unify and raise the level of protection of personal data in the EU. This is especially important because it is easier for individuals to be tracked, to profile them, and for this information to be used for various purposes. Therefore, there is a need to strengthen individuals’ rights.

What is GDPR?
GDPR, which stands for General Data Protection Regulation, is a term that has been occupying media space and postboxes in recent months. It replaces the EU Data Protection Directive and lays down new rules in accordance with the regulation of personal data.

Where to start

There are doubtless few companies or organisations that will not have encountered the handling of personal data. The process of preparation of the GDPR, which will come into force on 25 May 2018, must begin with the questions ‘Which data do you handle, what part of it is stored, and who is able to access it?’ A basic step in this context is ensuring regular and up-to-date back-ups of important data are made, which today should already be a standard of doing business.

The following urgent steps should be taken prior to the implementation date:

Step 1

Informing and training employees regarding the details of the GDRP regulation

It is necessary to make sure that everyone in the company is aware of the radical changes that are taking place in this area, and to ensure that they will be able to implement them on time.

Step 3

Ensure transparency and traceability of personal data through tracking consent for communication – a robust Customer Relationship Manager (CRM) system is recommended

Together with obtaining consent, the GDPR requires that there is a record of when and how consent was received. In reality, this means that companies have no other choice than to begin to document where personal data is stored, from where it came, and with whom it is shared. In order to comply with the regulation, companies may be obliged to organise an audit or once again obtain consent from the owner of data, if it is not possible to prove how the consent was obtained.

Of course, companies must also update their information about customers and, in cases where information is shared with other companies, customers must also be informed.

Step 5

Appoint an authorised person for the protection of personal data (DPO)

At the same time as the GDPR, a new requirement will also enter into force which requires that companies name an authorised person for the protection of personal data, in the event that companies process personal data within their basic activities. The authorised person can be employed within the company, or may be an external authorised person in cases where there is no need for an employee to work an 8-hour day, in the area of protection of personal data. In the case of an external authorised person, services may also be carried out on a contract basis.

The appointed person must be a professional in the area of protection of personal data, who will respond to requests for access to data, collect consents, initiate procedures in the case of incidents and inform all those involved – victims, colleagues, authorities etc. – at the latest within 72 hours of any detected violation.

Step 2

Getting approvals and amending forms for collecting e-mail addresses in the new regulation

One of the biggest changes that the GDPR brings is that of obtaining approvals. Every company that collects and processes personal data must first inform the owners of the data of the reasons for collecting their data and must also get their permission.

It is necessary to explain the legal basis for the processing of information to data owners, inform them of the period of retention of data, the purposes for its storage and provide them with the right to appeal if they are of the opinion that the way their data is being handled is inappropriate.

IMPORTANT: Consent must be in the form of a clear and understandable statement, given with a provable and unambiguous affirmative action.

Step 4

Provide the right to deletion and the right to transfer data

Each individual has significantly greater control over the flow of personal data, since the introduction of the GDRP means that every consent that an individual gives will no longer be permanent, and individuals also have the right, at any time, to demand an insight into the information stored about them, to demand total deletion, to withdraw consent, or to order the transfer of personal data to another provider without causing a hindrance.

From personal experience the Kongres magazine team recommends that the safeguarding of data protection is handled by a company that is specialised in this field. This will ensure that systems and servers are always upgraded to the latest versions, and that data is stored in data centres in accordance with European directives.

Step 6

Protect children and adolescents

The new regulation is particularly strict in the area of processing data of children and adolescents. By 25 May, companies that process such data must provide a clear mechanism for verifying the age of individuals. In cases where an individual is younger than 15, consent must be obtained from a parent or guardian.

The new legislation in the area of protection of personal data provides congress participants with:

1. Greater supervision and efficient implementation of supervision of personal data.

2. Easier access to personal data – individuals must be informed in a clear and understandable way about how and for what purpose their personal data is being processed.

3. The right to privacy – if an individual no longer wishes for his/her personal data to be processed and, on the condition that there are no legal reasons for its continued storage, an individual may demand that a company deletes his/her personal data.

4. The right to know how long personal information is stored.

5. The right to request a correction, deletion or appeal.

6. The right to the transferability of personal data, which will ease the process of transmission of personal data in cases where customers wish to change service providers.

7. The right to due legal processes and sanctions – individuals have the right to appeal to a supervisory authority, as well as the right to appeal against the decision of an authority or in the event of inaction by a supervisory authority, and the right to compensation and liability.

8. Individuals may not be subject to measures that derive solely from profiling, analyses or forecasting, through the use of automated processing tools (e.g. assessment of personal characteristics, health, habits etc.).

Join our newsletter!

Subscribe to our newsletter and stay up-to-date with the latest updates from Kongres Magazine.