What is The General Data Protection Regulation?
The The General Data Protection Regulation (GDPR) protects access to personal data by data controllers and processors. GDPR will ensure there is standardization of data protection regulations within the EU community. Non-European companies are required to familiarize and comply with the data protection directive that came into force at the end of May 2018.
From the Official Website“The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
So, If you deal with EU businesses’, residents’, or citizens’ data – then you will need comply with the GDPR. You will need to look at your use of personal data and make some important decisions.
Eugdpr.org for full details, but read on for our GDPR lite.
Why GDPR was Adopted
- To standardize data protection rules, implementation process and steps towards enforcement. This ensures there is the consistency of data among the EU countries and other non-European countries can rely on those laws.
- To pass a law that ensures individuals have control of personal details provided.
- To replace the 1995 data protective directive (Directive 95/46/EC) on how an individual can use mobile devices for data transfer.
- To come up with global data protection standards which can simplify personal data transfer internationally and increase control of data access within the EU companies.
- A law that ensures personal information is not kept for longer than necessary.
- To create a process to remove collected personal data – at the owners request
GDPR and Retention of Personal Data
GDPR laws require companies (that’s companies that deal with the EU too), to reduce the amount of data stored in the company’s database and how long the data is stored there. Personal data should not be kept longer than it is needed unless it is data stored in the archives for the interest of the public or stored for historical research.
As part of data retention policies, organizations are required to train employees the responsibilities and importance of data handling. All individual data should be brought up-to-date and recorded for a specific purpose. When storing personal data, the company should identify the important categories of data they need to keep, attest who will be responsible for the collected categories of data, when the collected data is supposed to be retained or deleted when not needed (or requested).
Having an up-to-date record ensure no risk of having inaccurate and irrelevant information. Organizations will be held accountable for their role in data retention policies.
Data Retention Act
- You should have a time frame for possession of personal data.
- You should determine the reason why you should hold the information and also know how long you can keep it.
- Always delete information not needed for a certain reason.
- Always ensure the kept information is up-to-date and delete outdated information.
Problems of keeping personal information over a long period time.
- It results in outdated information which can lead to the generation of wrong output. Garbage in, garbage out.
- It makes it difficult to attest and maintain the accuracy of information with time.
- Maintain security of personal details. The Act requires you to increase the security of retained data within the organization.
GDPR data protection rules by ensuring individuals have rights to access their information, and ensures a company complies with new data protection rules and the new regime of fines.
Steps to GDPR compliance
- Understand the GDPR policies: A Data Protection Officer (DPO) may need to be employed, to provide training to all the staff within the company. Creating awareness of the legal GDPR rules ensures everyone knows the roles and responsibility towards compliance with the regulatory framework. Staff, controllers, and processors should have knowledge on the legal GDPR legislation bill and actions for non-compliance.
- Data register: After educating everyone on their roles in compliance with the regulatory framework and steps the company is taking to implement the rules, a record of the process is kept. This record is known as a data register. If a breach occurs, the business should be able to show their compliance process with data regulations to the Data Protection Association (DPA) through the data register. Without this proof, the company can be fined between 2% and 4% of its turnover rate.
- Classifying which data to protect: DPO needs to classify the vital information of customer’s data that needs to be protected and how that will be done. All personal identification information should be collected, determine where it will be stored and who will access it.
- Prioritize data: Once data is classified and determined how it will be protected, you need to set user privacy as the first priority to protection. Individual’s private data is important to hackers and the organization should come up with the right process to protect that data. The company should also assess and document any risks and vulnerabilities of the set security policies.
- Review: You should review the previous steps carried whether there are effective or there was fall out and make changes where necessary.
- Gathering data: If you intend to gather data on an EU customer you need to use the ‘opt in’ protocol (ie they must choose to allow you to collect and use their data). You must make it clear what you intend to do with it. And there must be a process to remove it at the customers request.
Any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR in some form. So, it’s time to review your stored data and start making some important decisions. We hope this article will help you make some of those decisions.