The GDPR Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) came into force in May 2018.
The protection of natural persons in relation to the processing of personal data is a fundamental right. Everyone has the right to the protection of personal data concerning him or her. This is stated under Article 8(1) of the Charter of Fundamental Rights of the European Union.
The GDPR Regulation provides that the processing of personal data should be designed to serve mankind.
Why to comply with GDPR is important?
- Because the personal data of data subjects should be processed lawfully, fairly and in a transparent manner.
- Because the personal data of data subjects should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Because the personal data of data subjects that are collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Because the personal data of data subjects that are collected should be accurate and where necessary, kept up to date. Personal data that are inaccurate, having regard to the purposes for which they are processed, must be erased or rectified without delay.
- Because the personal data of data subjects that are collected must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Because the personal data of data subjects that are collected should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. To minimise the risk of a personal data breach, companies must apply appropriate technical or organisational measures.
13 Steps to follow to comply with the GDPR Regulation
Here is a summary of the necessary steps that a company shall follow to comply with the GDPR Regulation:
1) Ensure that the company’s processing activities related to personal data are in compliance with the principles of the GDPR Regulation.
2) Identify the lawfulness of processing. Will the personal data collected shall be processed based on a consent received? Will the personal data collected shall be processed for compliance with a legal obligation to which the company is subject? Review Article 6 of the GDPR Regulation and ensure that the company has a lawful reason for processing personal data.
3) When consent for processing personal data is collected, ensure that this consent is freely given, the reason to collect the consent is clear from any other matters and it is collected through an easily accessible form. Also ensure that the data subject have the right to withdraw his or her consent at any time, in an easy way.
4) The processing of special categories of personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited, unless any provision in accordance with Article 9 of the GDPR Regulation applies.
5) The Company shall be ready anytime to meet data subjects rights.
6) Necessary information shall be provided to data subject when personal data are collected directly from the data subject and when personal data have not been obtained directly from the data subject.
7) The company shall implement the necessary technical and organisational security measures, by design and by default, in order to minimise the risk of a personal data breach.
8) When a processor is appointed, the company shall ensure that the processor complies with the GDPR Regulation and processes the personal data in accordance with a contract in place between the company and the processor.
9) A record of Processing Activities shall be developed and be kept in place.
10) In case of a breach that concerns personal data in processing, then the company shall be able timely to notify the supervisory authority and data subjects, where applicable.
11) A Data Protection Impact Assessment shall be implemented where it is necessary.
12) A Data Protection Officer shall be designated.
13) Transfers of personal data to third countries or international organisations shall be take place only under certain provisions as those are stated under Chapter V of the GDPR Regulation.
*Relevant Legislation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Select your GDPR course and start learning!