Blog » 5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
30 May 2017
As we mentioned in our earlier article the General Data Protection Regulation (GDPR) will apply from May 2018 in the EU. That means that you have about 1 year to make your business compliant with the new rules. Otherwise your company faces fines up to 20 Million Euro, not to mention the reputational loss a data breach can cause. A compliance project is always difficult to start. Thus, we would like to make it easier for you by collecting the 5 most important topics that you need to understand and clarify at the beginning of your compliance project.
1. Know the data that you use
First and foremost, you need to consider the types and volumes of the personal data that your company uses. Do not forget that personal data is all the data that relates to an identified (or identifiable) human being. Note that the GDPR protects the personal data of EU residents which is everybody who lives in the EU even if not an EU citizen.
That means that if there is no way to link the data to a person then it is not personal data and if the data subject is not an EU resident, then you are not impacted. Thus, while the contact details of your business customer (in B2B transaction) are not regarded as personal data, if you store the address of a consumer who lives e.g. in Germany, be aware that in this case you handle personal information and the GDPR applies to you. Remember, that it is not only your customers whose personal data you possibly use, but also the personal data of your employees.
Identifying whether you hold sensitive data (e.g. health information) is also a core issue in your preparation process. Collecting and storing this kind of personal data may require further measurements (e.g. seeking consent) as it is more restricted than handling “general” personal data.
2. Know your role
When you have identified the personal data that you use, as a next step you need to clarify your role in the data processing.
In case you decide about the purposes and means of data processing, including which data will be collected and from whom to collect data, you will be regarded as a controller. In the meantime, if you are contracted by another organization to perform some function on the personal data then you can consider yourself as a data processor. It is also possible, in fact very common that the controller will be considered as a processor, too, given the broad definition of the processing activities.
To give an example in case you ask your future employee to send you his identification data in order to conclude a labour contract with him, you surely are a controller since you determined the purpose (establishing employment) of the personal data processing. Since you have collected his data you are also considered as a data processor. If you send the employee’s data to your lawyer requesting him to draft the labour contract, you lawyer will be the data processor who processes your employee’s data on your behalf.
It is very important to know your role (controller / processor / both) as this affects your obligations under the GDPR. As a controller, you have wider obligations and it is your duty to ensure that the processor abide by the rules of the GDPR.
3. Know the flow of the data
Another critical step is to know how the data flows through your organization. Data mapping can help you to understand your data flow and the possible risks you face.
Start with identifying from whom you collect personal data and what is its legal basis (e.g. consent or fulfilment of a contract etc.). Define where you store the personal data and where you transfer (e.g. whether you transfer personal data outside the EU).
Building your data map is very important in your GDPR compliance project as this makes it possible to assess your further obligations.
For example, if you transfer your customer’s data outside the European Union (e.g. to your US mother company) for marketing purposes, you must inform your customer about the safeguards that you implemented in relation with the transfer. Or, if your customer requests you to rectify his incorrect data, e.g. to change his address in the system since he has moved, you need to make sure that you share this new data with your subcontractor who makes the deliveries.
4. Know who to involve
A GDPR compliance project is not the one that you can do on your own. Thus, you need to decide about who you will or shall involve in the project within your organization and as a third party and what will be their tasks.
At the beginning of your compliance project, I suggest you to decide whether you are required to appoint a data protection officer, that is the case e.g. you are processing sensitive data on a large scale. If you need to designate one, he will also be a key person in your GDPR compliance project as he shall have expert knowledge of data protection and practices.
5. Know your duties
Last, but not least it is essential to have a thorough knowledge of your specific obligations based on the GDPR. All the above steps will help you to understand your duties, as these may differ based on the types of data (e.g. sensitive data), your role (controller / processor) and your data flow (e.g. whether you transfer data to third parties and / or outside the EU).
Knowing your specific obligations is not only important from compliance point of view but also because of cost- and time-effectiveness. For instance, if you do not handle sensitive data on a large scale, you might not need to appoint a data protection officer, thus you can save significant costs. Or, in case you do not transfer personal data outside your organization you don’t need to review your third party contracts from data protection point of view which would be very time-consuming.
All in all, I suggest you to clarify the above questions before jumping into a GDPR compliance project as the success of the project depends on it. In our next articles and newsletters, we will continue to give you tips and information to be GDPR-proof.
ILF CONFERENCE IN MILAN – PRESENTATION - TAKEAWAYS FROM FIRST GDPR PENALTIES
This May we participated in the European Conference of International Law Firms in Milan, where our managing partner Richard Schmidt held a presentation to members of ILF on recent developments of European Data Protection Law. The presentation focused on the lessons learnt from the first GDPR fines imposed by the national data protection authorities of various European jurisdictions in the 1st year of GDPR.Read more »
CAN YOU PAY MORE FOR THE SAME WORK IN HUNGARY? - FRESH DECISION OF THE CURIA
Are you negotiating on salary with a new colleague in Hungary? Even if salary is subject to free negotiation, a higher salary for the same work can cause a tension in wage levels. In our short article we summarize the fresh decision of the Curia which can serve as a compass in relation with the applicability of the equal pay principle.Read more »
CONSTRUCTION TRUSTEESHIP IN HUNGARY – SCOPE AND GENERAL PROVISIONS
Collateral management is a key issue in every construction project. In Hungary a special regime, the so-called construction trusteeship protects the interest of the participants of major private construction projects, and secures that contractors and subcontractors receive their remuneration for the work performed.Read more »