What every business leader should know about GDPR
The General Data Protection Regulation, better known as the GDPR, lays down strict rules for the processing and storage of personal data within businesses.
How do you ensure that your organization complies with the GDPR?
The General Data Protection Regulation (GDPR) is a European regulation with the same legal force as a Belgian law. It lays down the rules for the protection of the personal data and privacy of EU residents.
Businesses that process and store personal data must take steps to protect that data. The GDPR was adopted in May 2016. Organizations had until 25 May 2018 to align their business operations with the GDPR.
Each member state has a Data Protection Authority (DPA, the former Privacy Commission) which monitors compliance with the GDPR.
In case of breaches, the DPA can impose fines. And it does: in France, the Internet giant Google received a fine of 50 million euro for diluting important personal data over multiple pages so that it was difficult for users to find.
SMEs are also targeted: a German website was fined 20,000 euro after hackers were able to steal passwords due to inadequate security.
What is personal data?
Personal data covers all data with which a natural person can be identified, such as name, date of birth, and phone number. In a business, it mainly concerns the data of customers and employees.
A business may collect such data, but the person whose data is collected has to consent to this.
The data can only be used for the purpose for which it was collected. So, someone who places an order online can't be automatically put on a mailing list. The data may not be kept longer than necessary.
What does your business know?
To find out if your business handles personal data correctly, you should first:
- Identify the data you collect and how that data is processed and stored;
- Check whether each processing of personal data has a specific, explicitly described and justified purpose;
- Find out if you really need that data and whether you keep it longer than necessary.
For example, after you fill a vacancy, you have to delete the personal data of all the rejected applicants, unless you receive their consent to keep the data for longer.
Businesses with more than 250 employees must keep a record of their processing activities.
SMEs with less than 250 employees must also do this if the processing is not incidental (as in the case of a customer database or personal data file). The DPA has models for such records.
How safe is your data?
A business must also take all the necessary measures to secure personal data.
This includes technical measures such as a well-protected IT system and a system that ensures that only authorized persons have access to the data.
You should also inform your employees about the principles of the GDPR and the procedure in case of incidents such as a data breach. An SME must record each data breach in a log book. In certain cases, the DPA and the person affected must also be notified.
Read more on how to protect your company
Interested in sparring with us on how to establish a more pro-active & integrated approach to ICT Security?