Blog » 5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
5 TOPICS TO CLARIFY BEFORE STARTING YOUR GDPR COMPLIANCE PROJECT
30 May 2017
As we mentioned in our earlier article the General Data Protection Regulation (GDPR) will apply from May 2018 in the EU. That means that you have about 1 year to make your business compliant with the new rules. Otherwise your company faces fines up to 20 Million Euro, not to mention the reputational loss a data breach can cause. A compliance project is always difficult to start. Thus, we would like to make it easier for you by collecting the 5 most important topics that you need to understand and clarify at the beginning of your compliance project.
1. Know the data that you use
First and foremost, you need to consider the types and volumes of the personal data that your company uses. Do not forget that personal data is all the data that relates to an identified (or identifiable) human being. Note that the GDPR protects the personal data of EU residents which is everybody who lives in the EU even if not an EU citizen.
That means that if there is no way to link the data to a person then it is not personal data and if the data subject is not an EU resident, then you are not impacted. Thus, while the contact details of your business customer (in B2B transaction) are not regarded as personal data, if you store the address of a consumer who lives e.g. in Germany, be aware that in this case you handle personal information and the GDPR applies to you. Remember, that it is not only your customers whose personal data you possibly use, but also the personal data of your employees.
Identifying whether you hold sensitive data (e.g. health information) is also a core issue in your preparation process. Collecting and storing this kind of personal data may require further measurements (e.g. seeking consent) as it is more restricted than handling “general” personal data.
2. Know your role
When you have identified the personal data that you use, as a next step you need to clarify your role in the data processing.
In case you decide about the purposes and means of data processing, including which data will be collected and from whom to collect data, you will be regarded as a controller. In the meantime, if you are contracted by another organization to perform some function on the personal data then you can consider yourself as a data processor. It is also possible, in fact very common that the controller will be considered as a processor, too, given the broad definition of the processing activities.
To give an example in case you ask your future employee to send you his identification data in order to conclude a labour contract with him, you surely are a controller since you determined the purpose (establishing employment) of the personal data processing. Since you have collected his data you are also considered as a data processor. If you send the employee’s data to your lawyer requesting him to draft the labour contract, you lawyer will be the data processor who processes your employee’s data on your behalf.
It is very important to know your role (controller / processor / both) as this affects your obligations under the GDPR. As a controller, you have wider obligations and it is your duty to ensure that the processor abide by the rules of the GDPR.
3. Know the flow of the data
Another critical step is to know how the data flows through your organization. Data mapping can help you to understand your data flow and the possible risks you face.
Start with identifying from whom you collect personal data and what is its legal basis (e.g. consent or fulfilment of a contract etc.). Define where you store the personal data and where you transfer (e.g. whether you transfer personal data outside the EU).
Building your data map is very important in your GDPR compliance project as this makes it possible to assess your further obligations.
For example, if you transfer your customer’s data outside the European Union (e.g. to your US mother company) for marketing purposes, you must inform your customer about the safeguards that you implemented in relation with the transfer. Or, if your customer requests you to rectify his incorrect data, e.g. to change his address in the system since he has moved, you need to make sure that you share this new data with your subcontractor who makes the deliveries.
4. Know who to involve
A GDPR compliance project is not the one that you can do on your own. Thus, you need to decide about who you will or shall involve in the project within your organization and as a third party and what will be their tasks.
At the beginning of your compliance project, I suggest you to decide whether you are required to appoint a data protection officer, that is the case e.g. you are processing sensitive data on a large scale. If you need to designate one, he will also be a key person in your GDPR compliance project as he shall have expert knowledge of data protection and practices.
5. Know your duties
Last, but not least it is essential to have a thorough knowledge of your specific obligations based on the GDPR. All the above steps will help you to understand your duties, as these may differ based on the types of data (e.g. sensitive data), your role (controller / processor) and your data flow (e.g. whether you transfer data to third parties and / or outside the EU).
Knowing your specific obligations is not only important from compliance point of view but also because of cost- and time-effectiveness. For instance, if you do not handle sensitive data on a large scale, you might not need to appoint a data protection officer, thus you can save significant costs. Or, in case you do not transfer personal data outside your organization you don’t need to review your third party contracts from data protection point of view which would be very time-consuming.
All in all, I suggest you to clarify the above questions before jumping into a GDPR compliance project as the success of the project depends on it. In our next articles and newsletters, we will continue to give you tips and information to be GDPR-proof.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »