Have you already marked May 25, 2018 in your calendar? Not yet? Then make sure you do! No, it’s not your wedding anniversary and it’s not Aunt Mabel’s 70th birthday – it’s the day when the European General Data Protection Regulation (GDPR) will be implemented. This new regulation means quite a few changes for you as a service provider. If you’re thinking, “Oh, that only applies to big corporations!”, then think again! Find out what kind of changes are coming and why it’s so important to adhere to the new law. And to help you get started right away, we’ve created a convenient GDPR Compliance Checklist for you.
What are these personal details everyone’s talking about?
Let’s start at the beginning: The EU General Data Protection Regulation replaces the 1995 Data Protection Directive. It applies to all companies based in the EU as well as all companies that process personal data belonging to EU citizens. Its aim is to unify the protection of personal data. But what does that actually mean? There are different legal definitions, but in general it means all information that is recorded about an individual person. For example, this includes general personal data such as name, address, and date of birth, but also tax ID number, bank details, IP address, hair color, license plate number and much more. Examples of special personal data categories include ethnic origin, political views and health-related information.
Changes brought about by the EU General Data Protection Regulation
The GDPR sure doesn’t make for easy reading – even some attorneys struggle with it. But the clock is ticking! May 25, 2018 is fast approaching, and all required changes must be implemented by then. If you don’t know where to start, don’t worry: We’ve put together the most important points of the EU General Data Protection Regulation for you. If you want to dive into the details, you can find the legislative text here.
Ban failing authorization
The collection, processing and use of personal data is generally prohibited unless you have legal permission or the consent of the person in question.
What that means for you: If you wish to collect data that isn’t relevant for a contract, for example, you need to obtain written consent. Furthermore, you have to inform your client about the specific purpose of the data collection, processing and use.
You may only collect and process as little data as possible.
What that means for you: To deliver goods to your client, you need their address but not their date of birth ‒ and certainly not their hair color.
You may only use any data collected for its specified purpose and may not collect it without a purpose in mind.
What that means for you: For example, if you receive a client’s email address so you can send them a contract, you may not use the email address to send them advertising material.
Any data you save must be factually correct and accurate with regard to content. Furthermore, the data must always be kept up to date.
What that means for you: As soon as you find out that a client has a new address, you must change it in your system and ensure that the change is made throughout all your systems and documents.
All technical and organizational measures must be taken to provide appropriate data security. This means you have to take the state of the art, implementation costs, type, scope and a risk analysis into consideration. The need for protection is based on the type of personal data.
What that means for you: You have to do everything you can to sufficiently protect your clients’ data – for example, via encryption, password protection or different levels of access privileges.
Right to be forgotten
Personal data must be deleted if there is no longer a purpose or a legal reason for its use.
What that means for you: As soon as the data has served the purpose it was collected for, you must delete it. The same applies if consent is withdrawn or if the processing was unlawful. Exceptions include retention obligations related to tax law.
Upon request, you should be able to demonstrate compliance with all articles of the EU General Data Protection Regulation.
What that means for you: You have to document all compliance with the regulation. We’ll go into this in more detail later on. Documentation is the be-all and end-all of the GDPR.
Obtain consent for data processing
If you collect and process personal data, you need verbal, written or electronic consent from the person concerned. You also have to specify the processing purpose as specifically as possible. It’s not permissible to have one form of consent for all purposes, and the client must be allowed to withdraw their consent at any time.
What that means for you: Since you have to prove that you’ve received consent for data processing, it’s best to obtain consent in written or electronic form. Verbal consent is difficult to prove. If you obtain consent for data processing via a double opt-in, the check box may not be automatically selected. A single opt-in is not sufficient because an email address may be entered by an unauthorized third party.
Data protection consent obtained in accordance with the requirements of the German Federal Data Protection Act and the German Telemedia Act – if you’ve been complying with them – shall remain valid. Additionally, this consent has to be documented.
What that means for you: It’s best to obtain consent from your clients again, just to be on the safe side.
All website owners must update their privacy policies. The new version should be precise, clear, understandable and easily accessible. Furthermore, it must be written in clear, simple language and include the legal grounds for data processing.
Contract data processing
If you are collecting, processing or using personal data from an external contractor, you must ensure that they also comply with these provisions and carry out documentation.
What that means for you: For example, if you pass on personal data to a tax advisor, marketing agency or electronic payment service, you have to ensure that they also comply with the EU General Data Protection Regulation. You are responsible for the compliance.
Data Protection Officer
All companies that work with special categories of data need a Data Protection Officer. This also applies to companies whose core activities “require regular and systematic monitoring of data subjects on a large scale.” All other companies only need a Data Protection Officer if more than 9 employees (including freelancers, interns, etc.) are engaged in constant processing of personal data.
What that means for you: The first two points probably don’t apply to your company. In that case, the number of employees who have access to client data is the crucial factor here.
Data protection duties for employers
Employee data protection also plays an important role in the new regulation. Here, you may also only collect as much data as you require. Otherwise you’ll need written consent, which can be withdrawn at any time. Furthermore, you must also comply with the obligatory documentation rules.
What that means for you: You have to treat data belonging your employees and applicants just as carefully as client data. Retention requirements and maximum retention periods also apply here.
Two ways to help you comply with the European General Data Protection Regulation
You’re probably sitting in front of your computer with a sense of dread, wondering: “How in the world am I supposed to comply with this and implement all these things?!” The changes that the EU General Data Protection Regulation brings really pack a punch. There’s no way around dealing with it – and when you do, the most important thing is taking a structured approach to the matter.
1. Keep a record of your processing activities
Create a table where you record the type of personal data you collect as well as when, how, and why you collect it. You will need one table for each type of processing – e.g., payroll accounting, customer administration, sales, etc.
Your list could look like this:
- Name and contact details of the person collecting the details, the company representative, and the Data Protection Officer, if applicable
- Purposes of processing
- Legal grounds
- Category of the person in question
- Data recipient
- Transfer to third parties/non-member countries
- Deletion periods
- Technical and organizational protection measures
- Is the data anonymized/pseudonymized?
- How was consent obtain from the person in question?
2. Define and document processes
Keep a written track record of personal data in your company, from collection, saving and usage right through to deletion. Also create a list where you document ‒ and where necessary, optimize ‒ all activities related to data processing.
What happens if you don’t comply with the General Data Protection Regulation?
Along with the GDPR, new penalties for non-compliance with the regulation also come into force. In the worst-case scenario, companies will have to pay fines of €20 million or 4 percent of their annual turnover – whichever is higher. As you can see, the European General Data Protection Regulation is something you need to take very seriously!
Data protection with Shore
We want to protect your data in the best way possible. That’s why we’re currently reworking all our internal processes and procedures. We’re also pulling out all the stops to implement all the legal requirements. For example, we’ll soon provide our customers with an in-product agreement on processing personal data and have created a double opt-in for our newsletter. We’ve also implemented stricter requirements for passwords.
Ready for GDPR? Check your compliance status!
To make sure you’ll be ready to roll on May 25th, we’ve created a GDPR Compliance Checklist for you. This will help you check off everything you’ve done and ensure that you don’t forget anything.
If you have any questions regarding the implementation of the new regulation, or if any of the points are unclear to you, it’s worth getting an attorney on board.
Please note: This page is intended to give our customers some useful advice regarding the GDPR. This is not a complete list of instructions or a legal recommendation. Every organization should carry out the steps necessary for them to ensure their GDPR compliance.