If you have been running a business in the EU during the last year or so you may have heard of GDPR and the effect it has on data in the workplace. This new initiative is all about changing the way companies are allowed to store personal data and it is a huge step for privacy for individuals who need it. Here are some of the ways you can bring the GDPR compliance laws into your workplace as you start a new company.
The GDPR has many different rules which stipulate where and when you are allowed to store the data of individuals in the workplace and it also has rules about how long data is allowed to be stored after an employee has left the company. It would be worth you reading up on GDPR laws and getting to grips with every little detail so that you can better change your business to suit the people you hire and the clients you take on.
As you may know, there has always been a fine in place for the leakage of sensitive information without the party’s permission as well as if you store data on file without telling the client or employee you are doing so. However now there is a much larger fine to be given out to protect people and their personal information and it can be anything up to 4% of a company’s worldwide turnover, or can be €20M. This is why it is so crucial for businesses to take these laws seriously because if they don’t, they can be put out of business.
The important thing for international companies to remember is that the GDPR laws are in effect for any company who deals with EU residents’ data and this can mean companies in the USA and even in China will still be affected by this set of rules. This is why it is crucial that you make sure you know the law even if you aren’t in Europe yourself.
What is personal data?
The main thing which you need to know in order to comply with GDPR laws is what personal data actually pertains to. The spectrum for personal data and its definition has broadened and this means that it also covers online identifiers such as cookies and advertising IDs which can indicate who a person is by demographic and location. Make sure that you know what personal data really is and that you are in line with the law.
Now that you are a data processor and you hold data on file of your employees and clients, you have a liability and you are responsible for the safe storage or disposal of that data if needed. An ex-employee or a client can come to you and ask you to remove all trace of them from your database, and if you do not do this within a specific time limit you will be in line to at a hefty fine for breaching the data protection laws. It is important therefore that you file all data for each person in one place to make things easier when it comes to forgetting them.
Sometimes a breach of data can be totally accidental and perhaps you didn’t mean to do anything to leak the information. However when a data breach does occur in the workplace you have to make sure that you notify the authorities within 72 hours. This will allow the authorities to contact anyone affected and let them know where their data had been leaked from, giving them the option to ask that you take them off record entirely if they don’t feel their data is safe in your hands.
It is important that cybersecurity be part of your business strategy. The cost of ignoring its importance can be high.
When you register your business and your intention to store data with the Information Commissioner’s Office, you will have to go through a series of tests. These tests will assess how well your data management system works and how much of a risk it could be to your clients if they do agree for you to keep their data on file. This will hold your company accountable for the state of your security and it means that there is no one you can blame but you if things do go wrong.
Although data protection has always been a big thing in this day and age, it isn’t until now that people have the power to order a company to carry out Data Destruction Services on them and hide them the right to be forgotten on all counts. An individual now has the right to tell a company to stop keeping their data and the company will be punished if they breach this and don’t comply with the request. It is a great law for individuals because it allows them to feel safer and more secure.
When it comes to transferring data across to another part of the world, the law has cracked down on this too now and the rules are much more clear cut for this. When it comes to Binding Corporate Rules, these are checked and it is a much tighter transfer to ensure that any data which is moved from one place to another is totally secure and safe.
Data Protection Officer (DPO)
If your company is highly data focused such as a sales job or a subscription service, you will want to make sure that you hire a data protection officer whose job it will be to oversee the compliance with GDPR law and to make sure that anyone’s right to be forgotten is honored within the timeframe given. You can either choose someone already in the company and send them on training for the position or hire someone completely new who is qualified in data protection who can ensure that your company is following the law and that there is no reason for you to be worried about data and fines.