Below are the top ten things all companies and people need know about GDPR:
GDPR applies only to:
The only real exceptions are:
It you have a single citizen of the EU on staff, OR your firm touches EU citizen data in any way, OR you have a single staffer stationed in Europe, GDPR applies to your company.
Yes, the legislation calls EU citizens “data subjects” and they must now be told WHY the data is being collected. Article 12 states:
“…relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…”
It goes so far as to say that companies can no longer bury consent in long “End User License Agreements” (EULA’s) that almost no one reads. GDPR Article 7 is titled Conditions For Consent and states:
“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
If a company collects or works on (“processes” in the GDPR vernacular) data on EU citizens, it must have an explicit business purpose for doing so. The days of Radio Shack requesting all your personal contact information just so you can buy a no-name AAA battery in their store are over.
Personal data on EU citizens must be deleted (without request) as soon as the ORIGINAL business use for collecting that data is complete. The act does not explicitly state a maximum period of time data can be maintained, instead is says:
This is the fifth data protection principle. In practice, it means that you will need to:
Yes, People of the EU have the legal RIGHT to be forgotten, meaning that if a user requests their data be deleted, the company must remove it in a timely fashion. Article 17 of GDPR is titled the “Right To Erasure” and Article 7 gives you the RIGHT to withdraw your consent at anytime thereby requiring the prompt deletion of your personal data:
“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
All companies subject to GDPR, regardless of their head office location, must have a “Data Security Officer” (DPO) that reports directly to the CEO so it is a very serious job. Article 39 of GDPR states:
Within 72 hours of the breach being identified, data breaches must be reported to both the affected people if it can cause “significant harm” AND to the GDPR regulator
No, GDPR is B2P (Business to Person) legislation and does not apply to B2B (Business to Business). That does not mean that Company A can transfer EU personal data to Company B for processing, to get around GDPR. In that situation, both companies are liable. Company A is liable for breaches or misuse of personal data for anyone they transfer the data to. Company B is working with EU personal data, regardless of the source of that data, so they are liable to keep the data safe and processed for lawful purposes.
Yes, companies are required to fully disclose and transfer any information they have on a citizen of the EU on demand.
Under GDPR, there is not ‘set it and forget it’ solution. There is no single thing or list of things that companies must do to protect personal data to be compliant with GDPR. GDPR anticipates technology change and requires companies to continuously upgrade and adapt their personal data protection systems.
This Microsoft video provides good overview of GDPR in 20 minutes:
For more information see these sites:
This website uses cookies.