Blog Posts bpmn-1-x Process Modeling

What Is GDPR? Everything You Need to Know

Blog: Good e-Learning Blog

If there’s one thing that’s guaranteed to make marketers nervous, it’s ‘GDPR’. The announcement of the General Data Protection Regulation (GDPR) caused a huge stir, not just in Europe but across the world. Approved by the European Parliament in April 2016, GDPR introduced a number of major changes to how organizations are allowed to store and utilize customer data, with huge penalties looming over anyone who fails to take the new regulations seriously.

Under GDPR, citizens in the European Union have much greater control over their personal data. The new laws focus on privacy and consent, giving customers every right to know when and how their data is being used, and even when it has been compromised. These days, almost every service provider uses online data in one form or another, including banks, government agencies, retailers and employees, as well as online giants like Facebook and Google. Crucially, customers even have the ‘right to be forgotten’ and can withdraw consent to use their data at any time.

Most organizations rushed to become GDPR-ready by the point it came into effect in May 2018. Despite this, many failed to become GDPR-compliant by the deadline, risking serious fines as well as public scrutiny. Even now there are companies around the world which remain ignorant of GDPR. Sadly, it isn’t something that can just be waited out; even the UK government has clarified that its departure from the EU will not affect its commitment to the regulations.

So, what exactly is GDPR, and what do companies need to know? Following the regulations is a matter of both behavior and design; not only must businesses integrate data protection into any new technologies, products and services going forward, but they must also train staff to properly handle customer data. Many organizations are also required to hire ‘data protection officers’ (DPO), who can assess capabilities, highlight flaws and provide basic legal advice or knowledge to stress the importance of following the regulations.

Creating a GDPR checklist for yourself will certainly help things along, but GDPR-compliance will need to be treated as an ongoing obligation if you want to avoid the worst fines.

With that in mind, let’s take a look at exactly what you need to know about GDPR.

What is personal data?

The use of ‘personal data’ is the bread and butter of GDPR. The regulation’s own definition of personal data is ‘Any information relating to a living, identified or identifiable natural person.’
This can include:

Who do GDPR regulations apply to?

GDPR applies to all organizations which store or process data from citizens in the EU. However, this is not only relevant to companies based in EU member states; any company which has EU customers must comply with GDPR. As such, there are very few major corporations around the world which have not been affected by the regulation in some way.

Article 4 identifies two key roles in organizations subject to GDPR:

There can be both controllers and processors involved in a service. For example, a high street retailer (controller) could have a customer provide information to open an account. The retailer would then pass the information to another company (processor) which would store, digitize and catalog it. Because both organizations would be subject to GDPR they would each need to take steps to become GDPR-compliant.

What does GDPR mean for companies?

While there are a number of valid economic arguments against GDPR, it is a sad fact that, in the past, many organizations have spectacularly failed to properly manage customer data. Whether as a result of hacker activity or incompetence, millions of people have had their data exposed over the years. This is hardly a harmless crime: many customers have even been the victims of identity theft as a result of poor information security.

Regardless of how companies may feel about GDPR, they should nonetheless familiarise themselves with the new rights enjoyed by customers:

More Free Resources GDPR and data breaches

When information is lost or stolen, hackers and criminals may use it to target customers. Under GDPR, organizations are required to take sufficient steps not only to ensure that information is protected but also to minimize the damage in the event of a breach.

In the event that an organization detects a ‘personal data breach’, it must inform the Information Commissioner’s Office (ICO). Not every breach will necessarily pose a risk, though every incident should be assessed by a certified data protection officer (DPO) to make absolutely sure.

When an organization detects a reportable data breach, it must report it within 72 hours, where feasible. Should the breach pose a high risk to individual rights and freedoms, the organization must also inform the individuals in question without delay. Such a breach could be one with the potential to lead to:

This will usually be done via a ‘breach notification’. This cannot be done via social media, company websites or press releases; customers must be informed via direct correspondence. The most typically used method is email correspondence.

Given the urgency required in the event of data breaches, it is crucial for organizations to set up reliable and robust breach detection capabilities, as well as succinct investigation and internal reporting procedures. Not only will this facilitate decision making about whether the ICO will need to be notified, but it will also streamline the delivery of breach notifications so that affected individuals can protect themselves.

GDPR fines and penalties

Organizations which fail to become GDPR-compliant can face significant penalties. Not only can they be subject to huge fines, but their public relations can also take a hit, potentially decreasing their client pool.

The penalty for a GDPR breach will depend on the severity of the case in question, as well whether the guilty party is deemed to have taken adequate measures to ensure security and compliance.

The maximum fine is €20 million or 4% of an organization’s annual global turnover, whichever is higher. This can be imposed for:

There is also a lower (though by no means paltry) fine of €10 million or 2% of an organization’s annual global turnover, whichever is higher. This can be imposed for:

However, these are by no means the only criteria for GDPR penalties. It is crucial that organizations make themselves aware of exactly what is expected of them. Remember, in the event of a breach, being able to show that you have taken the correct steps to adhere to GDPR could save you a great deal of money and stress.

 Appointing a data protection officer

A data protection officer (DPO) has the job of ensuring that an organization is fully GDPR-compliant. They will oversee an organization’s strategies, educate its staff and conduct security audits, while also serving as the main point of contact between the organization and the relevant supervisory authorities.

Hiring a DPO is not strictly mandatory, except for any organization which:

While DPOs do not require specific qualifications, Article 37 of the regulation specifies that they must have ‘expert knowledge of data protection law and practices.’ It is also worth pointing out that a DPO’s expertise must cover the exact practices of their organization.

Even when this is not mandatory, appointing a data protection officer can make it much easier for an organization to remain GDPR-compliant. You should also keep in mind that failing to appoint a DPO when required can be considered non-compliance, which could result in serious financial penalties.

How to comply with GDPR

Sadly, due to the widely varying structures and goals of the organizations to which GDPR applies, there is no ‘one size fits all’ approach to becoming GDPR-compliant. Rather, organizations must assess their own requirements, find out what steps need to be taken and continually adhere to the regulations as part of an ongoing initiative.

A large part of this revolves around deciding who the relevant processors and controllers are, though companies should also consider:

Accredited Training Courses

Do you want to boost your GDPR awareness, or learn how to implement the new regulations? Contact Good e-Learning today to ask about our range of GDPR courses or view them here.

 

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="https://www.businessprocessincubator.com/content/what-is-gdpr-everything-you-need-to-know/?feed=html" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples

BPMN.org

XPDL.org

×