The authorities are getting up to speed in handling complaints and breaches, and yes, they do impose fines. Here is your checklist, in simple wording, what it takes to make you as compliant as possible to the GDPR regulation.
The General Data Protection Regulation is not an easy document to understand. It demands knowledge and perseverance to struggle your way through the whole legislation. and even then there is still room for discussion. No many companies take the effort to find out if they are in violation of the GDPR law. However, I believe they should.
Processing of personal data
This is a good place to start. Since organizations must process personal data in a lawful, fair and transparent manner. What does that mean?
- Lawful: means that the processing of the personal data must be based on a legitimate interest. There are only 6 of them available, described here.
- Fair: Organizations shall not process personal data for another purposes than the legitimate interest. Just be honest and do what you promise.
- Transparent: Organizations must inform the data subjects how they process the personal data.
Limit the processing of personal data
You should limit the processing of personal data and collect only what is really necessary. You cannot keep the personal data once the purpose of the processing is finished. Conclusion:
- Do not process personal data outside of your legitimate purpose
- Only process the personal data you need
- Delete the personal data if the legitimate purpose is fulfilled. Yes, you cannot keep it any longer, it's against the law.
Data subjects have rights
Any data subject - which basically means a natural person, it might be you - has the right to:
- Ask any organization what information it has about them
- Ask any organization what it does with the personal data of the data subject
- Ask any organization to correct the personal data
- Object to processing his/her personal data
- File a complaint against the organization
- Ask to delete or transfer his/her personal data.
If the lawfulness of the processing of personal data is based on consent of the data subject, a clear and explicit consent of the data subject must be asked. Organizations should store and document this consent.
The data subject is always allowed to withdraw this consent. For the processing of personal data of children, organizations should take extra measures.
Personal Data Breach
Organizations should have a register of all data breaches. The Data protection Authority must be notified when the risk and freedoms of the data subjects are high in case of a data breach. An evaluation must be made to also inform the data subjects themselves.
In my next article, I'll deal with more GDPR related items like Privacy by Design, DPIA, Data transfers and much more.