1. What is considered Personally Identifiable Information
PII, as it is abbreviated, is any information that can be used to identify and locate a single person. This includes data which can be combined to identify an individual but can’t be used as such when it’s not combined. For example, a last name and a street address by themselves are mostly useless to identify a person, but combined they might lead to the identification of a single person.
It is important to know which PII is hidden in your documents and where it is located.
2. The GDPR transcends beyond EU borders
The GDPR applies explicitly to all citizens of EU countries and not EU companies. This means that a non-EU company needs to show GDPR compliance if it wishes to use data about EU citizens. This also conveniently means that EU citizens have a legal backup in managing their data worldwide, whichever organization uses it or for whatever purpose it is used.
3. The value of big data
There’s one big exception, where consent of an individual to use its data is not explicitly necessary. Using PII infected documents is allowed without notifying the people if the data is used for scientific, historic or statistical research purposes (and these purposes only). After all, big data is an emerging science with lots of potential. The GDPR acknowledges this potential and doesn’t want to spoil the party, as long as the PII is protected from prying eyes you are good to go.
4. A transparent policy
Companies using data about EU citizens need to acquire consent for everything the data is used for. This means vague and endless terms and agreement policies will necessarily become a thing of the past. Asking for consent in applications or other software need to be clear and transparent for every possible reader, without ambiguities. Users should be able to consent only to the parts they’re comfortable with and nothing more.
5. Data Protection Officers
A GDPR compliant organization is recommended (but not obliged) to assign a DPO, this can be an internal staff member or someone external. The DPO has to inform and advise employees who carry out processing and monitor compliance of the organization with the regulation. This person is obliged to ensure records are kept of all processes using data containing PII. Choosing to assign a DPO has a lot of advantages and is not just to show your goodwill.
6. Evaluate the impact of a data breach
An organization regularly has to carry out impact assessments. If a DPO is assigned this is done under their supervision and initiative, if no DPO is present, management will have to care for it itself. Most notably, these assessments need to be executed whenever a new technology is implemented, but preferably also at certain time intervals as a checkup. A data breach is simulated and the impact of a harmful event is evaluated. The result of this simulation decides the appropriate course of action the company should take. Recent actuality shows how important this is, as hackers are very resourceful in executing their evil schemes.
7. Reporting of data breaches
Unless a data breach has no risk to the privacy of individuals, a data operator who discovers a data breach has to report this immediately to supervisory authorities, not later than 72 hours after the breach is discovered. This breach also needs to be reported, in clear language, to the subjects whose data it’s about. This report needs to contain the nature of the breach along with the likely consequences and the measures taken by the operator to address this breach.
8. The way you position yourself on the market
Maybe something with less direct consequences but important for any self-respecting competitive organization nonetheless. It comes as no surprise that the GDPR has a lot of marketing implications. Profiling yourself as a data operating company results in some negative connotations. Thorough evaluations of how an enterprise communicates about who they are and what they do are of best interest.
9. Crippling penalties
The EU takes the GDPR very seriously, and righteously so. Privacy of individuals is very important and needs to be ensured at all times. To make sure all organizations comply, the fees are very high. Failing to assure compliance leads to a penalty of 20 million euros, or 4% of the annual global turnover, whichever of those is highest. Losing such an amount of money can be harmful even for a company to turn bankrupt. Ensuring you comply with the GDPR is therefore a no-brainer.
10. Time is running out
The legislative is very strict about this. By 25 May 2018, all companies have to be able to show compliance or suffer the penalties discussed above. You still have some time to get your things in order, but it’s a good idea to start thinking about it now. When Docbyte starts a new project we follow a clear procedure to set up the highest level of protection to comply with the GDPR. By analyzing and documenting every process and having a clear governance structure, we made certain measures to protect the data in our organization. We will help our customers to comply by providing the necessary information and improving security measures following article 28 of the GDPR.
Prepare yourself for what is coming and be sure that when you are looking for an IT service provider, you have a chat with one of our experts on the ways that we help you to comply to the regulations. You can reach out to us through firstname.lastname@example.org or fill in the contact form on our website so we can contact you as soon as possible.