Blog » 5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
30 May 2017
As we mentioned in our earlier article the General Data Protection Regulation (GDPR) will apply from May 2018 in the EU. That means that you have about 1 year to make your business compliant with the new rules. Otherwise your company faces fines up to 20 Million Euro, not to mention the reputational loss a data breach can cause. A compliance project is always difficult to start. Thus, we would like to make it easier for you by collecting the 5 most important topics that you need to understand and clarify at the beginning of your compliance project.
1. Know the data that you use
First and foremost, you need to consider the types and volumes of the personal data that your company uses. Do not forget that personal data is all the data that relates to an identified (or identifiable) human being. Note that the GDPR protects the personal data of EU residents which is everybody who lives in the EU even if not an EU citizen.
That means that if there is no way to link the data to a person then it is not personal data and if the data subject is not an EU resident, then you are not impacted. Thus, while the contact details of your business customer (in B2B transaction) are not regarded as personal data, if you store the address of a consumer who lives e.g. in Germany, be aware that in this case you handle personal information and the GDPR applies to you. Remember, that it is not only your customers whose personal data you possibly use, but also the personal data of your employees.
Identifying whether you hold sensitive data (e.g. health information) is also a core issue in your preparation process. Collecting and storing this kind of personal data may require further measurements (e.g. seeking consent) as it is more restricted than handling “general” personal data.
2. Know your role
When you have identified the personal data that you use, as a next step you need to clarify your role in the data processing.
In case you decide about the purposes and means of data processing, including which data will be collected and from whom to collect data, you will be regarded as a controller. In the meantime, if you are contracted by another organization to perform some function on the personal data then you can consider yourself as a data processor. It is also possible, in fact very common that the controller will be considered as a processor, too, given the broad definition of the processing activities.
To give an example in case you ask your future employee to send you his identification data in order to conclude a labour contract with him, you surely are a controller since you determined the purpose (establishing employment) of the personal data processing. Since you have collected his data you are also considered as a data processor. If you send the employee’s data to your lawyer requesting him to draft the labour contract, you lawyer will be the data processor who processes your employee’s data on your behalf.
It is very important to know your role (controller / processor / both) as this affects your obligations under the GDPR. As a controller, you have wider obligations and it is your duty to ensure that the processor abide by the rules of the GDPR.
3. Know the flow of the data
Another critical step is to know how the data flows through your organization. Data mapping can help you to understand your data flow and the possible risks you face.
Start with identifying from whom you collect personal data and what is its legal basis (e.g. consent or fulfilment of a contract etc.). Define where you store the personal data and where you transfer (e.g. whether you transfer personal data outside the EU).
Building your data map is very important in your GDPR compliance project as this makes it possible to assess your further obligations.
For example, if you transfer your customer’s data outside the European Union (e.g. to your US mother company) for marketing purposes, you must inform your customer about the safeguards that you implemented in relation with the transfer. Or, if your customer requests you to rectify his incorrect data, e.g. to change his address in the system since he has moved, you need to make sure that you share this new data with your subcontractor who makes the deliveries.
4. Know who to involve
A GDPR compliance project is not the one that you can do on your own. Thus, you need to decide about who you will or shall involve in the project within your organization and as a third party and what will be their tasks.
At the beginning of your compliance project, I suggest you to decide whether you are required to appoint a data protection officer, that is the case e.g. you are processing sensitive data on a large scale. If you need to designate one, he will also be a key person in your GDPR compliance project as he shall have expert knowledge of data protection and practices.
5. Know your duties
Last, but not least it is essential to have a thorough knowledge of your specific obligations based on the GDPR. All the above steps will help you to understand your duties, as these may differ based on the types of data (e.g. sensitive data), your role (controller / processor) and your data flow (e.g. whether you transfer data to third parties and / or outside the EU).
Knowing your specific obligations is not only important from compliance point of view but also because of cost- and time-effectiveness. For instance, if you do not handle sensitive data on a large scale, you might not need to appoint a data protection officer, thus you can save significant costs. Or, in case you do not transfer personal data outside your organization you don’t need to review your third party contracts from data protection point of view which would be very time-consuming.
All in all, I suggest you to clarify the above questions before jumping into a GDPR compliance project as the success of the project depends on it. In our next articles and newsletters, we will continue to give you tips and information to be GDPR-proof.
5 THING YOU SHOULD NOT MISS OUT FROM YOUR ONLINE SHOP TERM&CONDITIONS IN HUNGARY
Online shopping is more and more trendy. While it is a very good opportunity, it has more risks for consumers than traditional retail shopping. For example, you cannot see the product in reality, so what if the shirt you ordered for your father as a Christmas present does not fit? The European Union recognized the risks of online shopping and adopted several consumer protection rules. In this short article I collected 5 issues you must include in your terms&conditions if you operate an E-shop in Hungary. Please note that these rules only apply if your buyer is a consumer (a natural person who is not acting for business purposes).Read more »
HOW TO OPEN AN ONLINE SHOP IN HUNGARY?
Online shopping is more and more popular among customers for certain reasons: it is more convenient and often cheaper than traditional shopping. Online shopping is not only an attractive alternative for the shoppers but for the traders, too. By opening an online shop, you can remove the need for expensive retail premises and customer-facing staff. Another huge advantage is that you can expand your market beyond local customers very quickly. Here are 4 things that you need to clarify if you decided to open an online shop in Hungary.Read more »
INTERNATIONAL LAW FIRMS CONFERENCE IN CYPRUS
We are members of International Law Firms (ILF) a worldwide network of small & medium sized law forms around the world, with around 70 members from 50 jurisdictions. The goal of ILF is improving client service in cross border business legal issues. Every year there are annual and regional conferences where we can share our experiences, meet new people, new viewpoints, and make our community better.Read more »