It probably applies to YOU
Personal data is broadly defined
How to comply
- Adopt accountability and governance measures. New provisions within the GDPR require that companies put governance measures in place so as to minimize the risk of breaches and to protect personal data. The GDPR also requires that in response to a breach, the controller without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the supervisory authority.
- Appoint a Data Protection Officer (DPO): Data controllers and processors are required to appoint DPOs to manage all affected data processing operations. The DPO is required to be an expert in data protection law, and must be allowed to act independently, reporting directly to the C-suite.
- Perform impact assessments. The GDPR requires data controllers to perform impact assessments before carrying out any data processing that is likely to involve high risks to the rights and freedoms of individuals. If the results of the assessment indicate a high risk, the controller must obtain a prior review by the relevant Data Protection Authority.
- Update data transfer policies. The GDPR imposes new restrictions on the transfer of personal data outside the EU.
- Implement new policies to accommodate individual privacy rights. Under the GDPR, individuals have stronger rights, including, the right to be informed, the right of access, the right of rectification, the right to restrict processing, the right of data portability, the right to object, rights in relation to automated decision-making and profiling and the right to be forgotten/erasure.
- Add “Privacy by Design” to your development process. Privacy must now be built into any new products, systems, and processes using personal data at the time of development.
- Add “Privacy by Default” to your operations. The GDPR requires that the strictest privacy settings be automatically applied once a business acquires a new product, system, or service (no manual configuration of the privacy settings should be required). You will need to document how you have built data privacy protections and processes into the initial design stages of any new project as well as throughout its life cycle.
Steps you need to take NOW
Written by Ken Moyle, Guest BlogDigital policy, e-signatures, startups, technology law. Ken holds a B.S./B.A. in Business Administration and a J.D. from University of Washington School of Law. He is a member of the Washington State Bar Association and has been admitted to practice before the Supreme Court of the United States. He also manages public policy for the Washington, D.C.-based Electronic Signature & Records Association.