In an increasingly digital world, ensuring legitimacy of personal data processing and mitigating the risks of cyber threats and data breaches – both internal and from third parties – is still a challenge for many organizations.
For the protection of their personal data individuals in the European Union can rely on GDPR, the European Union (EU) General Data Protection Regulation.
Applicable since May 25, 2018, GDPR outlines the rights EU citizens have in relation to their personal data and the steps organizations must take to store and process these data legitimately and securely.
Therefore, it is very important that, if a company is submitted to GDPR, it invests in tools that help it store personal data securely and comply with GDPR regulations.
GDPR considers personal data to be any “information relating to an identified or identifiable natural person (‘data subject’) (art. 4.1 (a) GDPR).
Examples of personal data include location data, IP addresses, home addresses, cookie IDs, photos, personal email addresses and unique mobile device IDs, political opinions, data concerning health, sexual orientation.
Anonymized data and generic, catchall email addresses like firstname.lastname@example.org are examples of data that is not covered by the GDPR.
The General Data Protection Regulation (GDPR) has several goals. Among the main ones, we can mention:
Among the general principles of GDPR, the processing of personal data in a lawful, fair and transparent manner stands out.
Furthermore, personal data processed must be limited to the minimum and used only for a specified, explicit and legitimate purposes for no longer than necessary.
There must be a privacy notice explaining who processes what personal data on which legal basis and for what purpose, describing the recipients of the personal data, the period for which the data is stored by or on behalf of the organization as well as other mandatory information listed in art. 12-14 GDPR. .
The GDPR also has strengthened the rules governing email marketing. In short, pursuant to the e-privacy legislation, a company cannot send any direct marketing email to an individual without its prior consent. Under GDPR such consent must be “freely given, specific, informed and unambiguous”. However, you are allowed to send marketing emails to past customers of your company, and you can use generic email addresses (ex. email@example.com) to send marketing messages to organizations
Last but not least, companies must go to great lengths to ensure that their customers’ and staff members’ personal data is accurate, up-to-date and secure. Here, it is worth remembering that non-compliance with the Regulation can result in heavy fines. We’ll talk more about non-compliance with GDPR throughout this article.
One of the great advantages of GDPR is to increase business trust and credibility.
While virtually all provisions of the General Data Protection Regulation are to protect and empower individuals, there are also several advantages for businesses.
As GDPR requires companies to be responsible, to minimize the use of customers’ personal data and to ensure that their processing is legitimate and secure, customers will feel that their data are in good hands and their trust will grow.
In addition, as the company’s reputation improves, it can also attract more job applications and retain employees longer.
Storing a large amount of personal data without a good understanding of how to use it is not only useless but also an unnecessary cost for companies.
Organizations that comply with the strict requirements of the GDPR need to minimize stored data, to define specific processing purposes before the data is collected, thus avoiding unnecessary manipulation of such information.
Without regulations such as GDPR, companies that respected the privacy of their customers’ data were generally at a disadvantage compared to others that did not give due importance to the confidentiality of this information.
Implementing data privacy policies from a company’s initial design is expensive, and there is profit to be made by selling illegal databases from different consumer groups.
With GDPR in place, the playing field has been leveled. All companies must implement data privacy across their organizations. Companies that value privacy are no longer at a disadvantage.
When a company is required to remove outdated and unnecessary personal data, the information that remains is much more accurate.
GDPR forces every department in a corporation to better organize their data, resulting in more accurate, organized, and even more secure data.
In addition, the accuracy of this information can generate beneficial insights for decision making.
There is no doubt that the IT department of companies is one of the most affected by GDPR.
To comply with the General Personal Data Regulation, the company must establish an inventory of processing activities that will show the types of data the company uses about which data subject, for which purpose, on which legal bases and which employees/processors or third-parties have access to it.
It is also worth remembering that the collection and use of personal data must be legally justifiable and the IT department must take steps to ensure that the data is secured in a way that is appropriate to the risk of the data processing for the concerned individual (ex. the processing of an individual’s credit card details is more risky for that individual than the processing of its email address and must thus be secured more. Accordingly, all personal data stored must be encrypted whenever necessary and possible.
Company-wide protection of personal data must be considered and an internal security policy implemented. A process must be in place for reporting data breaches to supervisory authority and data subjects where required.
In addition, systems must be in place to allow data subjects to request and receive the personal data you store on them. Users must be able to quickly and easily update inaccurate data held about them, and companies processing personal data on behalf of others must at the end of their services be able to transfer or delete the data processed upon request.
HR teams will also need to understand the limits GDPR places on data collected from data subjects who are employees of the company because their personal data can only be processed when it is necessary to execute the labor contract, to comply with a legal obligation or other appropriate legal grounds. In the absence of choice, consent cannot be a valid legal ground.
Data can only be stored and used for a specific purpose and cannot be saved indefinitely without valid reasons. It must be stored in an encrypted format whenever possible, and any data breach, resulting in a risk for the individual’s rights and freedoms, must be notified to the competent supervisory authority within 72 hours. Whenever one must fear a high risk for the rights and freedoms of the affected persons, such individuals must be informed as well without undue delay.
Marketing departments should be aware of three main areas of GDPR. These are: data permission, data access and data focus.
Data permission rules state that promotional material can only be sent to people who have expressly consented to receive it. Marketing cannot automatically include someone in a newsletter when they sign up for a website. The visitor must explicitly opt-in by ticking a checkbox, for example.
The GDPR includes provisions on the right to erasure. That means giving people a way to remove their details from the company’s systems or unsubscribe from marketing.
And while marketing departments like to collect data about users, to be GDPR compliant they must be able to show that they have good reason to store the personal data they collect.
The costs of failure to comply with GDPR vary depending on the type and size of a company and the exact nature of the GDPR violation.
Fines of up to €10 million or 2% of a company’s annual global turnover are imposed for crimes such as not reporting a data breach, not appointing a Data Protection Officer (DPO) when necessary, or not building a privacy by design process.
Failure to comply with the law can result in fines of up to €20 million or 4% of a company’s annual global turnover, whichever is greater.
These more serious fines can stem from failures to protect the rights of data subjects, from unauthorized transfers of personal data internationally, or from ignoring citizens’ requests for their data.
TPO Map is the number one collaborative GDPR compliance platform.
Through an intelligent combination of automation, legal content and human support, TPO Map helps companies manage and implement compliance measures associated with the EU GDPR.
With configurations adapted to the needs of each client, TPO Map is a complete solution that helps organizations to identify and implement all the necessary GDPR compliance measures in a simplified and digital way.
The TPO Map platform offers a series of advantages that make it the most cost-effective solution for your company:
To discover the most relevant features of our platform, contact our team of experts and request a free demo.
TPO was founded by Sabine Mersch, a legal privacy professional accredited as a Legal Expert by the European Privacy Seal (EuroPriSe) and as a Certified Information Privacy Professional/Europe by the International Association of Privacy Professionals (IAPP). The company acts as an external data protection officer (DPO) or consultant and provides advice to small, medium and large companies in Europe on GDPR compliance matters.