Personal data is highly sensitive information as it involves all your personal background information, contacts, and even medical history. While we work online, a dialog box pops up which gives an option to accept that we are ready to share our data. Most of us readily say yes, thereby accepting to its misusePrivacy of individuals is being compromised these days due to unethical access and usage of personal data. Personal data and details have been highly vulnerable to theft in most parts of the world including European Union. To protect the interest of its citizens, the EU has formulated the GDPR.
When does GDPR take place is a general question that many people ask because of its unawareness and lack of proper understanding. To draw some light here is how it works.
GDPR stands for General Data Protection Regulation and came into force on May 25, 2018. This new regulation has been put in place to enforce strict privacy and data security breach penalties on violators.
Though many companies have started to comply with the rules of GDPR, still companies have the question as to who does GDPR apply to? There are small companies which might assume that they are out of the purview of GDPR. Which is not the case. The new GDPR rules apply to anyone who is holding data or legal documents of EU citizens. Irrespective of the location of your office or company, if the data that you are holding pertains to a citizen of EU, then GDPR applies to you as well.
GDPR and Small companies
When the GDPR got launched, all the small companies which process a large amount of data and their scope of work revolves around processing data had the question as to does GDPR applies to me? One might say, that they have less number of employees, so they might be excluded. However, this is not the case. GDPR for Small companies which have less than 250 employees also come under its purview.
How to deal with GDPR
Though many small companies are scrambling and preparing themselves, still many are unaware of the main checklist that needs to be adhered to.
The first and the foremost is the individuals increased right to its information and how it is being used. This means that if an individual does not want your company to process the personal data, then you ought to remove the data as you have no rights to use the data. The legal contract with the customer ends and the company is no longer required to keep the data.
The other things that have to be complied with are familiarity with data. A demonstration about what kind of data a small company is carrying has to be shown. In addition, the way the data is put to use has to be shown properly.
Under GDPR, showing consent that you can use the data become a little difficult. Here, consent has been unbundled to include all things such as separate permissions for using data for different purposes. These different uses might include for marketing purpose, checking frauds among other uses. Vouching of fact has also become a key part of the regulation. For this, proper documentation must be in place.
Security and safety measures taken by a small business must be GDPE compliant. This means that stricter enforcement of security measures such as encryption will be required to become GDPR compliant. Moreover, a data protection officer has to
be hired which will be responsible for systematic monitoring of data and its processing.
While, becoming compliant with GDPR requirements, training employees is another important aspect. Training with respect to identifying breaches and informing about the same within 24 hours or 72 hours is required. A process needs to be followed to red flag areas of concern.
The biggest security threat comes from third parties. Despite having sound security measures, third parties can compromise on the personal information. The breach of security might also happen from small suppliers. Therefore,small companies need to make sure that the third parties are also GDPR compliant to clear any loopholes.
The Penalties of GDPR code breach
The fundamental reason for this regulation is security breaches, and if there are any such instances of security breach or personal information used unethically, then penalties have to be paid by the violator. As per GDPR rules, a penalty of Euro 20 million or four percent of the annual turnover, the higher of the two has to be paid.