What kind of businesses are impacted by GDPR?
Basically, all that are related to data processing activities, especially from areas like retail and services. Even though there are companies on the market that are in big need of becoming GDPR compliant, very seldom they are not aware of their need.
The users whose data are collected have the right to request their personal information in a “structured, commonly used and machine-readable format”. This means data portability. Consumers should have the unhindered right to ask to receive a set of their personal data from the system.
Minimum age for kids’ personal data
16 is the minimum age for providing legal consent regarding the data processing when it comes to online services that show off commercial offers. If the child is below this age, personal data will be collected and processed only with parental or guardian approval – consent.
Pseudonymizing data as a method of privacy by design
This new regulation holds that the privacy must be considered since the first stages of design and during the whole development process of services and products. How is this being implemented? By offering the users the options of sharing personal data in a certain degree.
Profiling and automated decision-making
The automated decision-making processes will be tolerated only if the decision is necessary for contract agreement, authorized by the law or based on the individual consent.
5 steps of becoming compliant. What you should do now!
We all know that organizations should have already started the verifications of their framework in order to evaluate what they should do to become GDPR compliant. But this phrase might be fuzzy for many in the field. On the lines below there are a few guidelines for a better understanding of the required measures and improvements.
Disclaimer: the steps mentioned below should be deemed as a starting point and cannot substitute the legal and technical expertise.
Is your organization falling under the GDPR?
Initially, you should assess whether you firm is a personal data operator, meaning processing and collecting data that directs to identifiable persons.
Are you processing data legally?
There are various changes brought up by GDPR that aims to set a higher standard in data collecting and processing. There are limitations regarding children consent, for example and also regarding the way consent is expressed.
Information notices and privacy policies updates necessary
As a safety measure for possible information breaches, organizations are required to review their privacy policies and written information on their web platforms.
Privacy-roles in your organizations
Right from the beginning, you should allocate tasks of data protection to the employees that manage personal data in your organization. And ask an expert about specialized advice.
When DPO becomes mandatory?
The Data Protection Office (DPO) is an expert that helps organizations become GDPR compliant. There are three different when the designation of a DPO becomes mandatory:
a. if the data processing is managed by a public authority (no matter of what data is being processed);
and/or b. when one of the core activities of a controller/processor of processing operations which require regular and systematic monitoring of data subjects on a large scale;
b. and/or c. when one of the core activities of the controller/processor of an organization consists of processing on a large scale special category of data (sensitive data) or personal data relating to criminal convictions and offenses