17 Jan, 2024
A brief general data protection regulation summary to remind you of your compliance requirements
The inception of GDPR started in 2012. The European Commission created a roadmap for data protection changes across the whole of the EU. In 2016 an agreement was reached on how enforcement would take place.
This enforcement came into action in May 2018, 2 years after the compliance details were released. Two key components govern GDPR, the rights of the individual to understand how their data is used and the fact that regulation does not stop with the EU.
Here is a break down of the basic rules of GDPR to help you stay compliant:
Lawfulness and Transparency.
GDPR in reality is simple when looked at from the point of view of the data owner or personal individual. As data owners and end users it works in our interest, making sure we have access to data that companies store about us for processing services. The right to know what data a company has about us is revolutionary and is a very positive way to rid the EU of misuse of data and spam. Companies can still process the data they need to operate but they simply need to be more open about it in their policies and interactions with the end user.
Data Use Limitation – Business Purpose
The data collected needs to be collected for a reason that is connected to business processes. Any unnecessary data collected prior to GDPR has to be deleted. The reason to collect and use this data has to be clear to the end user, meaning that policies need to be less jargon-intensive and more user-centred.
Accurate Data and Data Minimisation
Companies are now allowed to collect only what they require in terms of data.
A lot of companies were collecting information that goes over and above what they require to do their job. With GDPR this becomes unlawful. Companies need to delete data they do not need. Data that is required by local authorities will however override this law and companies have to comply with local company law for that, especially in relation to accounting and tax compliance
Accountability and the Data Controller
GDPR guidelines state that a company needs to appoint a GDPR officer. Even a solopreneur is bound by this, making the sole business owner the data protection officer by default. They are responsible for organisation-wide compliance and need to make themselves available as the contact person for anyone needing to report internally or request externally regarding GDPR matters.
Data Subject Rights
It is important that you respect the subject’s rights. They have the right to know what data you hold about them and request this from you. You have provide this for free within a few days.
Data Integrity
Data integrity is a key focus with GDPR. Companies need to make sure they can ensure confidentiality of data. Data resilience and traceability is also key. This has resulted in many private entities and groups needing to upgrade their IT infrastructure and software, specifically and especially that software that processes data.
The right to be forgotten
An important part of GDPR is the right to be forgotten. Even if the way you collect your data is GDPR compliant, you still need to abide by the regulation that says that people have the right to be forgotten. This limits the amount of time you can keep the data for. The limitation is simple however, it is simply the amount of time for which you need or are required to keep the data for processing. You cannot keep the data longer than it is needed.
Proof of Consent
When collecting customer or employee data both on paper and online, you need to make sure you can prove that the user gave you consent. This means updating online forms and also printed forms to include GDPR policy details and compliance checkboxes. It is important that when they register they know what they are registering for and that in every communication you allow the end user the option to withdraw the approval they gave you to use their data.
If you’re still not fully GDPR compliant, don’t worry companies are still catching up. At Intercomp we have already helped many companies become fully compliant. Get in touch for a fee consultation on business@intercomp.com.mt