Q&A about Understanding EU GDPR (General Data Protection Regulation)
The “New” General Data Protection Regulation
➢ Regulatory Framework of the EU GDPR Before:
• Outdated legislation and bureaucratic paradigm in most EU countries.
• Different regulatory practices in the EU with distortions of competition.
• Lack of regulatory and enforcement efficiency.
• Insufficient awareness of data protection culture.
• Low risk for breaching data protection laws.
➢ Change that the EU GDPR brings into force now:
● Updated legislation and bureaucratic paradigm.
● Equal data protection rules across all EU countries.
● Paradigm shift from state-regulation to self-regulation.
● Exponential risk increase for breach of data protection laws.
● Introduction of new obligations to companies and organizations.
● Strengthening the rights of data subjects.
● More demanding requirements in obtaining consent from data subjects.
➢ How to comply with the new EU GDPR:
1) List the personal data processing purposes and activities.
2) Find the GDPR gaps.
3) Map the company’s risks.
4) Create a compliance strategy accordingly.
5) Implement compliance strategy approved by the management.
6) Train and foster awareness.
7) Maintain control and compliance levels.
Key Question 1:
How should our human resources departments deal with this new regulation?
Create an inventory of every data in possession of the company and destroy data that is not needed. You must have a legitimacy condition for every data kept.
Key Question 2:
We use an online based human resourcing tool from the US for data controlling. Do we need to change or update this process to obligate with the new EU GDPR?
Find out where your cloud based data is stored and know whether the country in which the data is stored at abides by the EU GDPR or not. If possible, avoid storing data in countries that does not abide by the EU GDPR. If the data is stored within a company under the Privacy Shield in the US, data protection should already be a guarantee.
Key Question 3:
If we centralized our operations in one country, do we just need to abide with the legislation guidelines of that one country or do we need to abide with the legislation of every country our company has its branches in?
This depends on the scope of the legislation. First of all, know the data protection authority that has jurisdiction over your company and its corresponding location. Then your company has to comply accordingly with the corresponding legislation.
In summary, the central location of your company has to abide by the legislation of its country and the other entities of your company that are in different countries have to abide by the legislation of their own country.
Key Question 4:
In building an application that collects data, how should we handle data with an unidentifiable user?
It should be handled according to the the type of data, how it is used and how relevant it is to the company. It’s something that is needed to be adapted in accordance with the principles of the regulations.
Your data from the application is considered to be data related to someone identifiable and should be treated the same as the personal data of an identifiable person in which it is to be destroyed when it is not relevant to the company. This method of determining how data is handled is specifically tailored towards the details of the data and the dimensions of the company.
Key Question 5:
How do we deal with the dilemma of “the right to be forgotten” when it comes to data given by employees and managed by employers in our application?
The data controller has the rights to have the data deleted. This depends on the terms and conditions provided by the agreement of the application which determines whether the data controller is both the owner of the application and the employer or the data controller responsibility belongs to only the employer.
The right of the employee to have their data deleted is also determined by the conditions of the contract or agreement between the employee and the employer.
Key Question 6:
We are a company that gives employees the ability to insert any data they see fit in company owned devices to help them perform their best at work. Where does our liability end in the GDPR?
The regulation specifically states that you need to create mechanism that will ensure the security of your information. Policies of extraction and copying information from servers must be created. Internal mechanisms need to be in place to detect or prevent information transfer and access. You as a data controller will be liable for any data breach, even if that data breach comes from one of your employees.
Key Question 7:
How can we process personal data made available to the public?
As for processing this data, you need to have a legitimacy condition to process this data regardless whether or not it is publicly accessible. But the regulation requires that the legitimate interest makes the data processing foreseeable by the data subject. This in turn makes the application of the GDPR dependent on the conditions surrounding the purpose of the data.
Key Question 8:
We are storing personal data and genetic data for our patients which can only be handled by the doctors who hold the consent forms of the patients. Do we need to keep copies of the patient consent forms to be in line with the GDPR?
No, you do not need to keep copies of the patient consent form to be in accordance with the GDPR. The responsibility of collecting consent would be handled by the doctors and this needs to be thoroughly drafted in contract between the doctors and your company as you are the data processors while the doctors are the data controllers.
Key Question 9:
We have the right to revoke consent and the right of portability. Does it have to be explicitly written in the consent form?
Yes, now it has to be written in the consent form. We do not only take the GDPR into consideration when preparing consent agreements.
There are specific guidelines that have been issued by Article 29 Working Party that instructs you on how to interpret the regulation. This determines whether the consent needs to be renewed.
Key Question 10:
As a third party company for a university, how do we need to handle advertising accommodations to the students?
If the student does not provide consent for their information to be handed down to a third party, the third party does not have the authority to contact the student for advertising.
You would need an agreement with the university if they are to collect consent from the students for their information to be handed down to the third party for marketing purposes. Then you would need to keep a registry of the students’ consents for the information that has been lawfully collected as evidence.