Regardless whether your company is located in Europe or any place else, like the United States, Canada, and anywhere else in the world, if your company size, small and large, non-profits, social clubs and associations collect and process personal information in any way and form you need to understand how GDPR affects you and your company,
Starting in May 25’th 2018 a new regulation will be enforced that strengthens personal data security regulations and places tough requirements on how business can collect, store and process any and all personal information.
Why should I care?
The simple answer is because of the hefty fines you may incur if you violate those regulations. Penalties for organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Where should you start?
We are here to help you with your first step to gain a better understanding of what GDPR is and what changes your company must make to follow the new regulations. There is no time to wait – you can get started today with answering a few questions regarding your data:
- What personal information does my company collect and process today?
- Where does my company store that information and on which IT systems?
- Who has access to the information and how is it being used?
- What lawful basis does our company have to collect and store the information?
After you answer those questions, we can make it easy for your company dive in deeper and to take the practical steps to kick start your GDPR activities at omnibasis.com with your FREE account.
What is personal information?
According to GDPR law, personal information is anything that can be used to identify an individual. At first glance you might think that this is easy. Yet with GDPR there are lots of other non-obvious data points that also fall into this category. Some examples of personal information is a person’s name, email, government ID number, membership number, IP address, car license plate, a Twitter / Facebook handles and even photographs.
In addition, GDPR is classifying some information as sensitive data and encryption and other security measures are needed to restrict access to this data. Examples of sensitive data might be personal health records, membership affiliation, bank account information, etc.
Unless it is absolutely necessary, your business should avoid storing and processing sensitive information ALL TOGETHER, or alternatively your business should erase data as soon as it’s no longer required. For example, an airline needs to collect food preferences for in-flight mean. It is the best to erase this information as soon as the flight has landed.
What is personal information?
According to GDPR law, personal information is anything that can be used to identify an individual. At first glance you might think that this is easy. Yet with GDPR there are lots of other non-obvious data points that also fall into this category. Some examples of personal information is a person’s name, email, government ID number, membership number, IP address, car license plate, a Twitter / Facebook handles and even photographs.
In addition, GDPR is classifying some information as sensitive data and encryption and other security measures are needed to restrict access to this data. Examples of sensitive data might be personal health records, membership affiliation, bank account information, etc.
Unless it is absolutely necessary, your business should avoid storing and processing sensitive information ALL TOGETHER, or alternatively your business should erase data as soon as it’s no longer required. For example, an airline needs to collect food preferences for in-flight mean. It is the best to erase this information as soon as the flight has landed.
Rights of the individual
The purpose with GDPR is to strengthen the protection of the individual's right to personal data protection. All individuals have the right to get detailed and easy to understand information about how their personal data is stored, processed, and for what purpose. The individual also has the right to access their personal details at any time and correct or delete it at any time.
What does this mean for your business
An individual request to access his or her information could be simple if it is just related to their personal information. Maybe it is stored in some kind of membership directory. But that is not all. An individuals information also includes the history of changes to that personal information, consents given previously to store and process that information, and any and all additional interactions your business ever had with that individual. It can get very complicated very fast, especially with several distributed systems where you store and maintain different sets of information and data.
The right to be forgotten
GDRP also defines a new right to every individual, the right to be forgotten. It is empowering the individual be permanently removed based on simple means – not jumping through lots of hoops and calling around forever - to have ALL of their information permanently deleted. You can obviously still keep information that is required for you to fulfil obligations when it comes to, for example accounting or financial transactions to meet your reporting obligations. However – also this part of the information that the business still keeps can only be used for that processing activity and no other purpose.
A lawful basis for collecting personal information
GDPR makes it very clear that you are required to have a lawful basis to collect and process personal information along with explicit user consent.
User consent should be a clear and affirmative action and not hidden in a long user agreement. Implied consent is no longer valid, no more pre-checked checkboxes to opt in to newsletters.
Users must also have just as easy way to withdraw consent as it was to give consent in the first place.
The user consent must include a clear explanation as to why does your business seeks to store and process their personal information and for how long at the time of obtaining it. An example of such consent is an easy to follow and understand web site membership agreement.
Your company should immediately identify what their lawful basis currently is to store and process personal information.
Important! Do use email to process personal information!
In the past, e-mail has made it very easy to communicate with people. It is not enough under new laws of GDPR. All personal data you process via e-mail is affected by GDPR. Do not use email. If you need to collect and store personal data, you can use Omnibasis cloud-based platform to do so in minutes.
Do not hide data breaches!
No one is immune against data breaches and hacker attacks. Any incidents where personal data might end up in the wrong hands must be reported to the authorities within 72h after the breach has occurred. In most cases you must also notify all individuals whose data was leaked.
Delete personal information that is not used
An individual personals data may only be collected, stored and processed with a valid consent. Providing an easy to use user interface to manage, update and delete each individuals personal data can save your organization time and money. In addition, you will be compliant with GDPR laws that require to delete the personal data if it is not needed anymore for data processing as it is stored in one place via Omnibasis cloud-based platform.
Business small and large, turn to Omnibasis to create and manage user directories, agreements, consents and keep a record of your businesses personal data processing activities. Start your compliance journey at omnibasis.com today.