Are You Compliant With the GDPR?
We Can Make Sure You Are
Most businesses have been getting ready for the European Union’s General Data Protection Regulations. However, there are many in the DC Area that are still not compliant.
Are you one of these? If so, it’s time to get onboard.
The GDPR replaces the Data Protection Directive of 1995. The new regulations that were passed in April 2016 set a very high bar for any organization that collects personal data from EU residents. It went into effect May 25, 2018.
Organizations in the DC Metro Area must comply with the GDPR. If you process any personal information regarding an individual from the European Union, then there are new rules to follow when processing that data.
The GDPR is an internet privacy law for any organization that does business on the Internet with consumers located in the European Union.
It’s a very complex law, so we can’t explain it in totality. However, we’ve provided a resource at the end of this article that you should check out to learn more.
It doesn’t matter if your company isn’t inside the EU. If you do business with anyone in the following countries, you must comply with this new law.
- Czech Republic
- United Kingdom
The GDPR protects the EU’s consumers. It ensures they can:
- Access their personal data.
- Export their personal data.
- Correct errors in their personal data.
- Object to the processing of their personal data.
- Erase their personal data.
The GDPR also applies to the acquisition, processing, and storage of personal data – from initial gathering to final deletion of this data and every point in between. This could even be information you collect automatically from Google, an opt-in, or other collection methods online.
It applies specifically to personal data—information that could identify someone, such as:
- Email Addresses
- Physical Addresses
- Phone Numbers
- ID Numbers
- Marital Status
- Family Data
- Health Data
- Physical Characteristics
- Profile Pictures
- Employment History
- IP Addresses
- (and more)
The GDPR is so complicated that many companies in Washington DC, Virginia, and Maryland are at a loss as to whether or not they comply. The GDPR Specialists at Intelice Solutions can perform a General Technology Assessment to ensure your organization is compliant.
We’ve done this for many of our clients already. If you aren’t a client of ours, be sure to contact us.
GDPR Compliance is very complex. Ignorance is no excuse. You must know what your responsibilities are. Security, governance, and accountability are core to the GDPR. You are required to take steps to ensure the data entrusted to you is being managed appropriately. That is now the responsibility of anyone who processes data from a resident in the European Union.
Here’s a top-level description of what we’ll look for when conducting your GDPR Assessment.
Do You Have The Legal Right To Process Personal Data?
There are only six lawful reasons for processing personal data.
- Consent: Have you gotten specific consent from the individual?
- Contract: Do you have contractual obligations to process someone’s personal data?
- Legal Obligation: Do you have a legal obligation to process someone’s personal data?
- Vital Need: Do you need to process someone’s personal data to protect their life?
- Public Task: Are you a public authority or focused on public interest and need to process someone’s personal data?
- Legitimate Interest: Do you have a compelling justification for your organization to process someone’s personal data?
The GDPR provides citizens of the European Union with the following rights:
- You must provide certain information, like a privacy notice, and with transparency about how you use personal data.
- They have a right to question you and be responded to if you process their data. This information must be provided at no charge and within one month of the request.
- If someone’s data is incorrect or incomplete, you must correct it.
- If you’ve provided an individual’s data to a third party, you must inform the third party about the correction.
- Individuals may request the removal of their personal data under specific circumstances.
- Under certain circumstances, a person can block the processing of their personal data.
- Individuals must be allowed to get their data for their own use and in a manner that they prefer.
- They can object to the use of their personal data for many purposes.
In the event of a data breach, you must take the necessary steps to notify the authorities and individuals including anyone in the EU.
- Include appropriate language in your contracts and ensure your processors are in compliance as well.
- Document all data processing activities.
- Ensure your processes and systems are designed with individuals’ data security in mind.
- Perform a Data Protection Impact Assessment (DPIA) for any system that could present a high risk to an individual’s data.
- Employ or contract with a Data Protection Officer (DPO) if you are a public authority or if your core activities include the systematic tracking of individuals, processing one of the special categories of data, or processing data related to criminal activities.
- Process data securely and take into account risk analysis, policies, physical, and technical measures.
- Ensure the confidentiality, availability, and integrity of the systems and services you use to process personal data, including recovering data.
Report data breaches to the relevant supervising authority usually within 72 hours.
- Notify individuals of any high-risk breach without delay.
If your organization fails to comply with any of these requirements you could be fined the greater of 4% of your worldwide annual revenues or 20 million Euros (or $23,441,580 U.S.). You could also be banned from any future processing of EU individuals’ data.
As you can see, even this top-level assessment is complicated. In summary, you are required to comply with the GDPR regulations if you process any personal information about an individual from the EU. Download your copy of Intelice Solutions GDPR Quick-Start Guide to help you decide what your next steps should be.
The European Commission’s website regarding the GDPR:
Feel free to contact the GDPR Specialists at Intelice Solutions. We’ll be happy to explain what you need to do to ensure you’re compliant with these new regulations.