Blog » 5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
30 May 2017
As we mentioned in our earlier article the General Data Protection Regulation (GDPR) will apply from May 2018 in the EU. That means that you have about 1 year to make your business compliant with the new rules. Otherwise your company faces fines up to 20 Million Euro, not to mention the reputational loss a data breach can cause. A compliance project is always difficult to start. Thus, we would like to make it easier for you by collecting the 5 most important topics that you need to understand and clarify at the beginning of your compliance project.
1. Know the data that you use
First and foremost, you need to consider the types and volumes of the personal data that your company uses. Do not forget that personal data is all the data that relates to an identified (or identifiable) human being. Note that the GDPR protects the personal data of EU residents which is everybody who lives in the EU even if not an EU citizen.
That means that if there is no way to link the data to a person then it is not personal data and if the data subject is not an EU resident, then you are not impacted. Thus, while the contact details of your business customer (in B2B transaction) are not regarded as personal data, if you store the address of a consumer who lives e.g. in Germany, be aware that in this case you handle personal information and the GDPR applies to you. Remember, that it is not only your customers whose personal data you possibly use, but also the personal data of your employees.
Identifying whether you hold sensitive data (e.g. health information) is also a core issue in your preparation process. Collecting and storing this kind of personal data may require further measurements (e.g. seeking consent) as it is more restricted than handling “general” personal data.
2. Know your role
When you have identified the personal data that you use, as a next step you need to clarify your role in the data processing.
In case you decide about the purposes and means of data processing, including which data will be collected and from whom to collect data, you will be regarded as a controller. In the meantime, if you are contracted by another organization to perform some function on the personal data then you can consider yourself as a data processor. It is also possible, in fact very common that the controller will be considered as a processor, too, given the broad definition of the processing activities.
To give an example in case you ask your future employee to send you his identification data in order to conclude a labour contract with him, you surely are a controller since you determined the purpose (establishing employment) of the personal data processing. Since you have collected his data you are also considered as a data processor. If you send the employee’s data to your lawyer requesting him to draft the labour contract, you lawyer will be the data processor who processes your employee’s data on your behalf.
It is very important to know your role (controller / processor / both) as this affects your obligations under the GDPR. As a controller, you have wider obligations and it is your duty to ensure that the processor abide by the rules of the GDPR.
3. Know the flow of the data
Another critical step is to know how the data flows through your organization. Data mapping can help you to understand your data flow and the possible risks you face.
Start with identifying from whom you collect personal data and what is its legal basis (e.g. consent or fulfilment of a contract etc.). Define where you store the personal data and where you transfer (e.g. whether you transfer personal data outside the EU).
Building your data map is very important in your GDPR compliance project as this makes it possible to assess your further obligations.
For example, if you transfer your customer’s data outside the European Union (e.g. to your US mother company) for marketing purposes, you must inform your customer about the safeguards that you implemented in relation with the transfer. Or, if your customer requests you to rectify his incorrect data, e.g. to change his address in the system since he has moved, you need to make sure that you share this new data with your subcontractor who makes the deliveries.
4. Know who to involve
A GDPR compliance project is not the one that you can do on your own. Thus, you need to decide about who you will or shall involve in the project within your organization and as a third party and what will be their tasks.
At the beginning of your compliance project, I suggest you to decide whether you are required to appoint a data protection officer, that is the case e.g. you are processing sensitive data on a large scale. If you need to designate one, he will also be a key person in your GDPR compliance project as he shall have expert knowledge of data protection and practices.
5. Know your duties
Last, but not least it is essential to have a thorough knowledge of your specific obligations based on the GDPR. All the above steps will help you to understand your duties, as these may differ based on the types of data (e.g. sensitive data), your role (controller / processor) and your data flow (e.g. whether you transfer data to third parties and / or outside the EU).
Knowing your specific obligations is not only important from compliance point of view but also because of cost- and time-effectiveness. For instance, if you do not handle sensitive data on a large scale, you might not need to appoint a data protection officer, thus you can save significant costs. Or, in case you do not transfer personal data outside your organization you don’t need to review your third party contracts from data protection point of view which would be very time-consuming.
All in all, I suggest you to clarify the above questions before jumping into a GDPR compliance project as the success of the project depends on it. In our next articles and newsletters, we will continue to give you tips and information to be GDPR-proof.
LAWFUL DISMISSAL IN HUNGARY - PART IV: TERMIANTION BASED ON EMPLOYER’S OPERATIONS
In the previous articles on the lawful dismissal, we explained dismissal for employee-related reasons. However, that is only half of the whole picture, because in many cases the employer dismisses employees for reasons of reorganization or redundancy. Justification must meet strict rules to be lawful in this case as well, the details of which we explore in this article based on case law of Hungarian labour courts.Read more »
MONITORING THE COMPANY E-MAIL ACCOUNT - DECISION OF THE HUNGARIAN DATA PROTECTION AUTHORITY
In its recently published decision, the Hungarian Data Protection Authority (NAIH) has dealt with the questions of the usage of the corporate email account for private purposes and the monitoring of the e-mail account. As the topic can affect every employer, who provides an e-mail account for its employees for working purposes, we summarize the most important conclusions of the decision in our short article.Read more »
LAWFUL DISMISSAL IN HUNGARY - PART III TERMIANTION BASED ON SKILLS/ABILITY
In our previous article we have examined the cases in which an employer may terminate the employment due to an employee's inappropriate behaviour or attitude. But what if inadequate work or the lack of expected results is not because of the misbehaviour or bad attitude of the employee, but because of not having the knowledge or skills needed to perform the job properly. What can an employer do in this case? What can be the basis for a legal termination? From our article, you can get the answer to these questions.Read more »