GDPR – Now the dust has settled

Rick Shera
25 July 2018

posted in | Data Protection | Big Data | Data Theft | Privacy | Right to be Forgotten | GDPR | European Union



So you heard all the hype about the EU’s new data privacy law, the General Data Protection Regulation (GDPR) and had good intentions to work out what it means for your business, but just like that the 25th of May came and went 2 months ago! Now you read that if you do not comply you could face sanctions of up to 4 percent of global turnover or up to EUR 20 million!…… KEEP CALM and read our checklist to find out what to do next.

Does your business collect, use or disclose the personal data of EU residents?
If yes, then you will need to comply with the GDPR.

Why do you collect personal data?
Review the purpose for which you collect personal data.

How do you process personal data?
Check that a lawful basis applies for that activity.

What personal data do you collect?
Review what personal data you collect with this principle in mind and update your processes if necessary.

If you need consent to access personal data, have you obtained that consent
Check your consent practices and update if they don’t meet the GDPR standards.
    • use positive opt-in:
    • keep consent requests separate from other terms and conditions;
    • ensure individuals can withdraw consent without detriment;
    • tell users they can withdraw their consent;
    • tell users the name who will be relying on the consent.
    • use pre-ticked boxes;
    • make consent a precondition of service.

Do you collect personal information of children under the age of 16?

If yes, you will need to include certain information in your privacy policy and obtain parental consent.

Does your business collect, use or disclose special category data, e.g health information, biometrics, religious or philosophical beliefs
If yes, in addition to identifying the lawful basis, you will need to show that you meet one of the 10 special category conditions.

How long do you keep information for?
Employ a process to establish if it is still necessary to keep data, and don’t keep it for longer than necessary.

How do you store the personal data?
Review how you store personal data and ensure that your system includes protections against:
    • unauthorised access;
    • unauthorised processing;
    • accidental loss;
    • destruction or damage; and
    • uses appropriate technical or organisational measures.
Carry out user testing to evaluate how effective your systems are.

What information to you provide to individuals?
    • Update your privacy policy to provide individuals with information required by the GDPR.
    • Regularly review and update your privacy policy, if necessary.
    • Update your privacy policy each time you plan to use personal data for a new purpose.

Does your service use decision making solely by automated means without any human involvement?

If yes, you will need to comply with the rules prescribed by the GDPR.

Does the processing of personal data (in particular using new technologies) result in high risk to individuals interests?
If yes, you will need to carry out a privacy impact assessment before carrying out such processing.

Does your service use someone else to store or otherwise process your customer’s personal data?
You will need to have contracts with them that ensure that they comply with the GDPR.

Does your business have an establishment in the EU?
If not, you will need to appoint a data representative in one of the EU member states you process personal data unless the processing is occasional, small scale and does not involve sensitive personal data.

Are you a public authority? Or do your core activities require regular and systematic monitoring of individuals or processing on a large scale of one of the special categories of data?
If yes, you will need to appoint a data protection officer.

Do I need to report a breach to the authorities?
If yes, you must report to the supervisory authority no later than 72 hours after becoming aware of it.

Do I need to inform the individual of a data breach?
If there is a high risk to the rights of an individual, then yes.

The GDPR also includes rights for individuals to access, rectify and erase and restrict the processing of their personal data.You should familiarise yourself with these rights and consider developing a policy for how to deal with such requests.

Accountability is one of the data protection principles and the GDPR makes you responsible for complying with its provisions and being able to demonstrate your compliance. You can do this through updating or implementing data policies and procedures that address privacy and data protection such as IT, HR and privacy policies, maintaining documentation about your processing activities, and reviewing and updating the measures you put in place on an ongoing basis.

While compliance with the GDPR creates an additional cost for New Zealand businesses operating in the EU, non-compliance can have significant monetary (as noted in our introduction) and reputation consequences.

Image courtesy of Dennis van der Heijden

COMMENTS (0) Post a Comment

Authorisation Code:*
To prove you're human, please type the code in the grey box into the white box. The code is case-sensitive. If you can't read the code, click on the grey box to see a new code.