The game-changing new General Data Protection Regulation (GDPR) comes into effect across the EU on the 25th May 2018, and with just over a week to go until the deadline kicks in, it seems pertinent for us to acknowledge this very important regulation and give you some final tips and advice before the deadline sets in.
If your organisation is not yet ready for this very important day, read on. With fines of up to €20 million in place or 2% of annual global turnover (whichever is greater) in the event of a breach, GDPR cannot be taken light-heartedly and will absolutely affect all EU businesses – including the U.K. post brexit and Switzerland.
The new legislation is a monumental change to privacy and data protection and any organisation dealing with EU data subjects will be affected. However, Swiss data protection legislation is closely tied to EU regulation, which is why the GDPR will also affect Swiss organisations.
To ensure full GDPR readiness, ensure your business takes the following steps:
1. Document what personal data you hold
The GDPR requires you to keep a record of all your processing activities. Therefore, your business must document what personal data you hold, its origins, how you process it and for what purpose. You must also be able to determine who you are sharing it with.
2. Appoint a Data Protection Officer
It’s vital to designate (or hire) someone who will be responsible for ensuring data protection compliance. This is particularly important for larger organisations or organisations that either collect or process large quantities of personal data.
3. Review your current privacy notes
Review all privacy notices and ensure appropriate changes have been made before the GDPR comes into force. Amongst other things, you will need to explain (in clear language) to people who you collect and process their personal data, the basis for processing their data, the retention period and the right to access the data.
4. Process readiness
It’s obvious that in accordance with GDPR, data must be protected. Acceptable mechanisms for protection include pseudonymisation, encryption and tokenisation, which are being adopted by many companies and can all be used to show compliance with the provisions of GDPR.
5. Be ready in case of data breaches
Under GDPR, data breaches must be reported to the authorities (presumably the Federal Data Protection Commissioner) if the breach is likely to result in a risk to the rights and freedoms of individuals. Breaches must also be reported to the individuals affected. Note that notification is not required if the data has been encrypted, tokenised or otherwise obscured so as to not be intelligible to the attacker.
6. Adopt a Privacy by Design and by Default approach
Privacy by Design and by Default is now a legal requirement and consists of:
• Minimising the processing of personal data
• Pseudonymising personal data as soon as possible
• Transparency with regards to the function and processing of personal data
• Enabling the data subject to monitor the data processing
• Enabling the controller to create and improve security features
As you can see, there is plenty to do when it comes to GDPR and if you do not feel totally ready for the big day next week, then get in touch or contact our GDPR partners, Sigrid Partners, a Geneva-based GDPR & FADP consultant.