When the GDPR comes in on 25 May 2018, it will significantly change the way that you handle your customers’ data; to not comply with new regulation risks a fine up to 4% of your annual turnover, or €20m, whichever is higher.
We know the internet is a quagmire of information on the GDPR, that’s why we’re here to help. In our role as a technology provider, we’ve committed ourselves to supporting you through coming changes.
As a first step, we have set-up an advice line for customers firstname.lastname@example.org – please contact us with any question you have and ask us for advice. The aim of the GDPR is to protect residents within the EU from data breaches, an increasingly common concern amongst businesses and their customers. To help you can get to grips with what GDPR means for you, we have listed its key points below.
The reach of GDPR
GPDR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). These rules apply to both controllers and processors.
Consent for data use by the customer must be given, clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours.
Right to Access
Customers have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller shall provide a copy of that data, free of charge, in an electronic format.
Right to be Forgotten
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and have third parties halt processing of the data.
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’.
Privacy by Design
Privacy by Design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
If you deal with children, you need to consider putting in place systems to verify ages and ways in which to get parental or guardian consent to processing.