The General Data Protection Regulation, or GDPR, which went into effect on May 25, 2018, consists of seven basic data protection principles that embody the spirit of any effective data protection regime. Applicable to all companies that collect and process the data of European Union citizens, it revolves around the lawful processing of such individuals’ personal data. The processes in question include the collecting, structuring, organizing, storage, alteration, communication, consultation, combination, destruction or erasure of such data.
The GDPR represents the most significant change in data protection law since 1995, when the Data Protection Act, or DPD, was enacted. Companies across the world scrambled upon learning about the upcoming new laws because, although similar in many ways to the DPD, the GDPR of 2018 is more far-reaching and detailed. It also includes a new, seventh principle – the accountability standard – that applies to firms that operate not only within the EU but anywhere in the world.
If your company collects data about EU citizens, you must ensure that you are in compliance with the GDPR. Otherwise, you face the risk of severe fines. The fines that may be imposed by the new law are significantly steeper than those of the DPD. For example, failure to keep data secure, as required by the GDPR, may result in fines of up to 2 percent of your firm’s annual global turnover or €10 million – whichever is higher.
The Six Primary Principles of the General Data Protection Regulation
Here’s a quick summary of the six principles that make up the core of the GDPR:
- Lawfulness, fairness and transparency – Under the GDPR, data must be processed in a lawful, transparent and fair manner. Your firm’s processes must comply with the law and should be readily available to data subjects. In particular, privacy policies should be written in clear, simple language, and they should be easy to access. In other words, fine print won’t cut it anymore.
- Purpose limitation – Data must only be collected for specific, explicit and legitimate purposes. It may not be processed further in ways that are incompatible with such purposes. Such purposes must be clearly stated to users, and data should only be collected for as long as necessary. The only exception is in the case of data that is being archived for scientific, historical or statistical purposes. In short, do what you say – and say what you do.
- Data minimization – Personal data that is collected must be adequate, relevant and limited to what is necessary for the purposes of the firm. If data is breached, unauthorized individuals will have access only to a limited amount of data. This also makes it easier to keep said data accurate and up to date. In other words, if you don’t need a certain type of data, don’t ever collect it.
- Accuracy – The GDPR requires that any data that is collected must be accurate and, where necessary, kept up to date. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
- Storage limitation – Data that’s collected must be kept in a format that permits the identification of data subjects only for as long as necessary. When no longer necessary, then, data must be deleted. Therefore, continually review the data that is stored by your organization and remove any that is no longer needed right away.
- Integrity and confidentiality – This is where the GDPR specifically addresses security. Data must be processed in a manner that ensures the appropriate security of any personal data that has been collected. Reasonable techniques and measures, including encryption, anonymization and pseudonymization, should be employed to ensure compliance. If it ever falls into the wrong hands, it will remain confidential and its integrity will be maintained. This also reduces the impact of potential data breaches.
The Seventh Principle: Accountability
One of the most significant updates that came along with the enactment of the GDPR is the accountability principle. Under this principle, it is your responsibility to ensure that your organization is in compliance with the GDPR – and you must be able to demonstrate compliance. If you, for example, rely on social media robots for data collection purposes, you may not be in compliance and may be breaking the accountability principle.
Examples of accountability measures that may be used to comply with this principle include:
- Appointment of a data protection officer
- Implementation of security measures and data protection policies
- Documentation of data protection activities and processes
- Recording and reporting of personal data breaches
- Conduction of regular data protection impact assessments
- Implementation of data protection contracts with third-part processors
- Obtainment of appropriate consents from data subjects
Is Your Company in Compliance with the GDPR?
If you are concerned about whether or not your small business is in compliance with the seven GDPR principles, the time to act is now. Small business website design plays a crucial role in maintaining compliance, and E-Marketing Associates can assist you in this regard. Contact us today for more information.