GDPR is the theme of the moment. On 25 May, the new regulation that protects the personal data of citizens of the European Union comes into force on a compulsory basis. The main changes in this law to the current law are related to the right to forgetfulness, the right to portability of data and changes in consent to the authorization of data processing by citizens. In today’s article we will address the changes that GDPR will bring to your company!
Regarding online customer relationships, company systems should expose privacy policies in a clear and objective language. Consent to data processing by citizens should be retained to serve as evidence of free and unequivocal consent. The regulation creates additional barriers to current data collection and processing practices by introducing more stringent rules for companies with regard to consent for the collection and processing of personal data. Companies have to consider creating a contract with the data subject, complying with legal obligations and defending vital interests of the data subject. With the new regulation, a contact of a business card, for example, cannot be included in any database without the explicit consent of its owner. In practical terms, the use of previously selected boxes, absences from responses, inactivity and consent through terms and conditions will no longer be allowed, as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new Regulation.
This person (also known as DPO, Data Protection Officer) plays an essential role in the transition period from the old law to the new legislation. The appointment of a DPO is mandatory in the following cases: (1) whenever the processing of the data happens in a public entity; (2) where there is constant monitoring of people on a large scale; (3) whenever there is large-scale sensitive data processing; (4) in companies with more than 250 employees.
You shall record in detail all activities related to the processing of personal data in order for the organization to demonstrate that it fulfills all the obligations in force in the GDPR. The legislation provides that subcontractors have almost the same obligations as those responsible for processing and are thus required to prove that they comply with what is required.
Businesses and organizations have a duty to notify the National Supervisory Authority of data breaches for situations that put individuals at risk and to communicate to the citizen concerned all high-risk breaches as quickly as possible so that they can be take the appropriate actions.