Blog » 5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
30 May 2017
As we mentioned in our earlier article the General Data Protection Regulation (GDPR) will apply from May 2018 in the EU. That means that you have about 1 year to make your business compliant with the new rules. Otherwise your company faces fines up to 20 Million Euro, not to mention the reputational loss a data breach can cause. A compliance project is always difficult to start. Thus, we would like to make it easier for you by collecting the 5 most important topics that you need to understand and clarify at the beginning of your compliance project.
1. Know the data that you use
First and foremost, you need to consider the types and volumes of the personal data that your company uses. Do not forget that personal data is all the data that relates to an identified (or identifiable) human being. Note that the GDPR protects the personal data of EU residents which is everybody who lives in the EU even if not an EU citizen.
That means that if there is no way to link the data to a person then it is not personal data and if the data subject is not an EU resident, then you are not impacted. Thus, while the contact details of your business customer (in B2B transaction) are not regarded as personal data, if you store the address of a consumer who lives e.g. in Germany, be aware that in this case you handle personal information and the GDPR applies to you. Remember, that it is not only your customers whose personal data you possibly use, but also the personal data of your employees.
Identifying whether you hold sensitive data (e.g. health information) is also a core issue in your preparation process. Collecting and storing this kind of personal data may require further measurements (e.g. seeking consent) as it is more restricted than handling “general” personal data.
2. Know your role
When you have identified the personal data that you use, as a next step you need to clarify your role in the data processing.
In case you decide about the purposes and means of data processing, including which data will be collected and from whom to collect data, you will be regarded as a controller. In the meantime, if you are contracted by another organization to perform some function on the personal data then you can consider yourself as a data processor. It is also possible, in fact very common that the controller will be considered as a processor, too, given the broad definition of the processing activities.
To give an example in case you ask your future employee to send you his identification data in order to conclude a labour contract with him, you surely are a controller since you determined the purpose (establishing employment) of the personal data processing. Since you have collected his data you are also considered as a data processor. If you send the employee’s data to your lawyer requesting him to draft the labour contract, you lawyer will be the data processor who processes your employee’s data on your behalf.
It is very important to know your role (controller / processor / both) as this affects your obligations under the GDPR. As a controller, you have wider obligations and it is your duty to ensure that the processor abide by the rules of the GDPR.
3. Know the flow of the data
Another critical step is to know how the data flows through your organization. Data mapping can help you to understand your data flow and the possible risks you face.
Start with identifying from whom you collect personal data and what is its legal basis (e.g. consent or fulfilment of a contract etc.). Define where you store the personal data and where you transfer (e.g. whether you transfer personal data outside the EU).
Building your data map is very important in your GDPR compliance project as this makes it possible to assess your further obligations.
For example, if you transfer your customer’s data outside the European Union (e.g. to your US mother company) for marketing purposes, you must inform your customer about the safeguards that you implemented in relation with the transfer. Or, if your customer requests you to rectify his incorrect data, e.g. to change his address in the system since he has moved, you need to make sure that you share this new data with your subcontractor who makes the deliveries.
4. Know who to involve
A GDPR compliance project is not the one that you can do on your own. Thus, you need to decide about who you will or shall involve in the project within your organization and as a third party and what will be their tasks.
At the beginning of your compliance project, I suggest you to decide whether you are required to appoint a data protection officer, that is the case e.g. you are processing sensitive data on a large scale. If you need to designate one, he will also be a key person in your GDPR compliance project as he shall have expert knowledge of data protection and practices.
5. Know your duties
Last, but not least it is essential to have a thorough knowledge of your specific obligations based on the GDPR. All the above steps will help you to understand your duties, as these may differ based on the types of data (e.g. sensitive data), your role (controller / processor) and your data flow (e.g. whether you transfer data to third parties and / or outside the EU).
Knowing your specific obligations is not only important from compliance point of view but also because of cost- and time-effectiveness. For instance, if you do not handle sensitive data on a large scale, you might not need to appoint a data protection officer, thus you can save significant costs. Or, in case you do not transfer personal data outside your organization you don’t need to review your third party contracts from data protection point of view which would be very time-consuming.
All in all, I suggest you to clarify the above questions before jumping into a GDPR compliance project as the success of the project depends on it. In our next articles and newsletters, we will continue to give you tips and information to be GDPR-proof.
DOES THE LACK OF HANDOVER MAKE THE DISMISSAL UNLAWFUL IN HUNGARY?
Whether the lack of handover makes the dismissal unlawful based on the recent judgment of the Hungarian Supreme Court? What happens in case the employee fails to take over the dismissal? We address these issues in our article by analysing a recent judgment of Hungarian Supreme Court.Read more »
UNPAID CAPITAL CONTRIBUTION IN A HUNGARIAN LLC? HOW TO SOLVE THIS PROBLEM?
The „start-up capital” of the limited liability company is the initial capital which is the totality of the capital contributions provided by the shareholders. Since the shareholders may declare that the capital contribution shall only be provided after the establishment of the company in a later date, the painful situation might occur that the shareholder does not provide or only partly provides the capital contribution. Given that this may create unwanted consequences, the settlement of the capital-related problem is the common interest of the shareholders. In this article we summarize the possible methods to solve this issue.Read more »
COVID-19 BRIEFING – RESTRICTIONS ON NON-EUROPEAN FOREIGN INVESTMENTS IN HUNGARY
After the bill, passed in 2018 on restrictions of foreign investments, Hungary further limits the domestic investments of the foreigners because of the COVID-19. The new decree extends the scope of the investments to be notified and introduces fines, too. We explain the most important provisions of the decree in this article.Read more »