Implemented in May 2018, the General Data Protection Regulation – or GDPR for short – applies across the European Union and it fundamentally changes the way people can share information about themselves and their preferences with organizations that process their personal data.
The concept of personal data has been given a makeover and now covers almost anything that can identify you and me. Not just your name or the MAC address of your mobile, but even the sports team you support. All of this is now protected personal data. People now have more power to shop around using their personal data. We can compare prices online by sharing our bills for things like electricity and save money by switching suppliers.
We’ve got more power to access personal records being held on us and make sure that they’re up-to-date. And if this isn’t the case, we have the right to get this changed. This includes adding more information so that the record isn’t inaccurate. At the end of the day, we’ve got a lot more power and a lot more choices at our disposal. Our ultimate power is to give as well as take back consent to processing of personal data.
Processing of Personal Data
Personal data processing involves several parties, but to keep things simple, let’s think of it in terms of a value chain in the shape of a triangle.
There needs to be a living individual to whom personal data relates. For example, this could be a customer or employee. They’re called the Data Subject.
Then there’s the person, company or organization that wants to process the personal data of that individual. This party makes the decision as to the purposes and means of processing personal data. And it’s called the Data Controller. For example, this could be an online retailer or bank.
Many large companies and organizations use an external third party to process personal data, such as call centers or cloud service providers. This separate legal entity is called the Data Processor. This party must only act on the express written instructions of the Data Controller. Quite often this Data Processor may work with other sub-Data Processors and this would extend the value chain.
It’s the Data Controller’s responsibility for making sure there are technical and organizational measures in place at each link in the value chain to comply with its duties and responsibilities under the GDPR.
A critical one is reporting a personal data breach to the Supervisory Authority within 72 hours of finding out this has happened. This is extremely important, as data protection and privacy is only as strong as the weakest link, so the Data Controller must be sure that it has everything in place to comply with the GDPR.
It’s also very common for the same company or organization to be both a Data Controller and a Data Processor. So it’s important to identify the capacity in which personal data processing is taking place in order to fulfil the duties and responsibilities under the GDPR. As a rule of thumb, there are more duties and responsibilities placed on the shoulders of the Data Controller than the Data Processor. But there’s also joint and several liabilities for a personal data breach under the GDPR.
It’s important that agreements are looked at as soon as possible, as the Data Processor must guarantee that it complies with the GDPR. And the Data Controller can only use a Data Processor that provides such a guarantee, otherwise that’s also a breach of the GDPR.
In circumstances where there’s a Joint Data Controller relationship, then there must be an arrangement between both companies with respect to reporting obligations to the Supervisory Authority.
It’s an Opportunity, Not a Threat!
Think about the GDPR as an opportunity to build deeper relationships with customers, clients, supporters and employees.
For companies and organizations in any sector, it provides a route-map to build trust and confidence in the digital world where this may have been eroded or destroyed in the past. When it comes to processing personal data, this can now be done in a highly transparent and accountable way, which helps prevent harm or damage to the personal data in the future.
Gone is narrow self-interest and the ruthless pursuit of profit at the cost of taking risks with personal data. In its place is putting the rights, freedoms and interests of your customers first. It’s about doing the right thing because it’s the right thing to do.
This creates a basis for future prosperity and success, whether the organization is large or small, public or private.