30/04/2018
General Data Protection Regulation - in simple words
We have all heard about GDPR, talked about it and have certainly done our share of internet browsing. But have we really understood what this is all about? From my personal experience after spending countless hours reading numerous articles and having had telephone conversations with my IT team and legal counsels I was still left with plenty of unanswered questions, one of these being “what is this all about?” The sources I found explained that in 1995 EU issued the Data Protection Directive aiming to protect all individuals with regard to the processing and transferring, within EEC, of their personal data such as home address, personal phone number, bank account, e-mail address etc.
The technological developments and globalization have brought new challenges for the protection of such personal data. More and more individuals, particularly via social media, make personal information available publicly and globally. And so the General Data Protection Regulation was adopted on 27 April 2016 which will be applied on 25 May 2018 on-wards.
It reinforces and protects the individuals’ rights to take back the control of the use of their personal information and sets regulations that all companies handling personal data must comply with.
(https://ec.europa.eu/info/law/law-topic/data-protection_en)
(http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679)
But let’s face it. These days a vast number of companies manage personal data one way or the other, from your local beauty parlor giving gift cards to shops to insurance companies, banks, hospitals, tax authorities the list is endless!!! With such a variety of cases, how and what can you do to be compliant with GDPR? Plus, if you do need to comply then you also need to set a Data Controller, who will determine the reasons of which the given personal data is processed and how, as well as a Data Processor who will process said personal data.
My research lead me to the only source that was able to help me and that was my country’s Commissioner Office for Personal Data Protection (COPDP)!!!!!
(http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en?opendocument).
As I manage a law firm and a catering business, I was confused as to how to handle matters, so I contacted my local COPDP and in a matter of minutes I found out that:
1. Where the law firm concerned, since they do not hold or manage any personal data but only corporate, they do not entirely fall in the GDPR. Nonetheless, and to be on the safe side, a policy had to be drawn in the company’s heading letter whereby it clearly needed to state:
• the identity of the organisation and the name of the Data controller;
• that the firm holds solely corporate data;
• who has access to it and
• that the firm does not and will not export in any way or form, digital or otherwise, the given information.
2. Where the catering business concerned, they only had to include in their pro-forma orders a section whereby it is stated that any personal data included will solely be used for:
• the particular order and/or any future orders that will be submitted by the same individual and
• that the firm shall a) not permit any processing of personal data by any third party without their prior written consent and b) notify them without undue delay and in writing if there is a breach of their personal data held by the firm.
That simple!!!! At least in the above two cases. Of course each business has its own criteria to examine, like in the big corporations, for example, things are a bit more complicated but what saves them is that they already have a set policy and they will only need to add the additional changes to include the GDPR regulations.
I hope this post has shed some light on this matter and has helped you understand that the best way to deal with this is to keep it simple and as clear as possible.
I would appreciate if you would share your opinions and experiences on this subject. I believe that the more information we get the more prepared we will be able to be.
Till next time.
Angie Petritsi
PBM Business Planning & Management