7 tips for getting you and your business better aligned with the GDPR
As of 25 May 2018, the new General Date Protection Regulations (GDPR) is finally in force in European Union (EU’), having in formally adopted over two years prior. In the lead-up to this new regime, people and businesses all over the world have been trying to put their house in order, to ensure they complied with the provisions.
Similar to its predecessor, the 1995 Data Protection Directive, the GDPR is different. In a nutshell, the GDPR not only applies to organisations located within the EU, but also applies to organisations located outside of the EU – if they offer goods or services to, or monitor the behaviour of, individuals who reside within the EU. The long reach of the GDPR – its inter-territorial reach – has caused numerous organisations re-examine their systems and approach to the handling of personal data, in order to avoid the stiff fines the EU is prepared to levy when breaches are determined.
Within the Caribbean procurement space, the spectre of the GDPR may not be as acute in the first instance. With the most projects being in the Caribbean region, for the region, they tend to fall beyond the scope of the GDPR. However, work Caribbean Consultants, Contractors and Vendors (of goods and services) might be executed for or on behalf of European firms, or targeting European residents, the GDPR becomes an important consideration.
To that end, there is a wealth of resources online, such as the EU GDPR Information Portal, which details the Regulations, along with key issues that should be given particular attention. We also recommend that you listen to the ICT Pulse Podcast episode, in which the nuts and bolts of the GDPR are discussed with Caribbean attorney-at-law, Bartlett Morgan.
In terms of practical things you can do, and as a starting point, we suggest the following tip to help you (and your team) stay on the right side of the GDPR, as well many of the data protection regimes that are being implemented across the Caribbean region:
1. Fully understand why you are collecting and holding the data that is in your (and/or your organisation’s) possession. Under the GDPR, the data owners are entitled to know why you are holding their data and how it is being used.
2. Map how data, and personal data flows through your organization, along with the systems and resources that are used. Assess the risk: whether all of the steps, systems, actors, etc.., are needed; the extent to which the data could be compromised; and whether there might be better/more efficient and effective ways to derive the purpose for which the data is being kept.
3. Stop collecting data you don’t have a legitimate need for, and recognized that data such as IP addresses and other online identifiers as personal data, which now fall under the scope of the GDPR.
4. Review how long you retain individuals; data for, and how it is stored and secured. You should not retain individuals’ personal data any longer that you need to, and appropriate arrangements should be made to ensure that the data is properly and safely stored.
5. Review and update your business’ (and its website’s) privacy notices to provide the additional information required by the GDPR.
6. Amend all of your data contracts – especially if you are in the business collecting data, processing data, market research, or even conducting surveys – to ensure they are GDPR-compliant.
7. Pay attention to the third-party entities you might be using to process, or otherwise handle data on your behalf. Ensure that their data privacy and terms of use policies are also aligned with the GDPR, to reduce the chance of difficulties in the future.
Image: geralt (Pixabay)