Highway11– Web Development & E-Commerce Specialists

All you need to know about the GDPR

25 April 2018   Privacy   |   Policy   
From May 25th 2018, the GDPR General Data Protection Regulation will come into force, with fines of up to €20 million or 4% of turnover. It's time to become informed.

Developed to raise people's control and awareness of their personal data use, the regulation will upset the online business world.This new regulation is about personal data processing in all its dimensions, namely: collecting, storing, organizing, processing, transmitting. It will come into force in all the European Union and even in companies located outside the EU, if they offer free or paid product or services to EU residents, or regulate the behavior of EU residents. Unlike other directives, countries will not be allowed to draw up new legislation. This regulation will challenge your business in terms of time and money investment, however, this is an opportunity to get a huge competitive advantage over other companies and offer a unique customer experience. Here is what you need to know in order to do so.

How to implement it: The GDPR in 5 keys points

1.The GDPR applies only to "Personal data" Firstly, personal data can be divided into two types: direct data such as names, addresses, photos, and indirect data such as IP addresses. These two types are to be treated the same way by the regulation.

2.Main focus of the GDPR: Consent Data will have to be processed and collected "lawfully, transparently and for specific purpose".It means that each person will have to be informed and consent to the specific use of his/her data. Moreover, once this purpose is achieved, this data will have to be deleted. Be aware, the consent has to be explicitly given and you must keep this evidence.

3.Distinction between Data Controllers and Data Processors Controllers: Person(s) or agency who will be in charge of giving objectives and ways to process the personal data. The "pilot" of the company for protection of personal data and choosing processors that comply with the GDPR.

Processors: Person or agency who will take care of processing the personal data following controller guidelines.

Both have different responsibilities concerning data protection. However, it is the processors who will treat personal data according to the controllers' requirements. Both will remain responsible for using the customer's personal data, and must fulfill many obligations. You will have to chose carefully how to distribute the roles, and ask for expert advice in this field as the responsibilities carried out are quite important.

4.Appointing a Data Protection Officer Not all companies will have to implement this, only those storing a large amount of personal data for your employees or even for entities outside your organization. The Data Protection Officer will ensure the compliance of your company with GDPR requirements and be responsible for personal data protection. If your company will appoint a data protection officer, this must be done before the regulation goes into effect. You are allowed to appoint someone already part of your company or someone external. Data Protection Officers hold lot of responsibilities and need to be experts in the area, with a deep understanding of your business.All companies will have to be responsible for implementing the proper technical and organisational measures and be able to demonstrate that they are actually carrying it out.

What does it mean for your business? There is no report anymore, the idea is to give self-control over the use of personal data to companies.

General obligation of securing data Your company will have to ensure the maximum security through controllers and processors such as encryption and regular security testing.

Breach security notification In case of a breach of security, the data processor will have to notify Data Controllers, who will later have to report to the supervisory authority. If this breach concerns customer data, the relevant parties will have to be informed about it.

5.Sanctions There are two levels of sanctions:

The lower level: Up to €10 million or up to 2% of the annual worldwide turnover, whichever is higher in case of: obligations not fulfilled by the controller and processors, regarding the certification or monitoring body.

The higher lever: Up to €20 million or up to 4% of the annual worldwide turnover, whichever is higher. Related to: content issues, consumer personal data rights, obligations pursuant to Member State law adopted under Chapter IX, non compliant with an order by a supervisory authority, the transfer of personal data to a recipient in a third country or an international organisation.