In just a few months, the new General Data Protection Regulation or GDPR will be strictly enforced and will completely change how organisations process and handle data which will pretty much impact you and everyone you know.
What is GDPR?
Based on its website, the General Data Protection Regulation (GDPR) is “the most important data privacy regulation in 20 years.” It will be the new framework for data protection laws in Europe and will replace the 1995 Data Protection Directive. According to Wired, “the legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals”. It is also supposed to primarily give back control of personal data to the citizens especially with data stored in social networks and cloud providers.
GDPR is enacted by the EU Parliament and was adopted on April 27, 2016 and becomes enforceable on May 25, 2018 after a two-year transition period. As opposed to a directive, it does not require national governments to pass enabling legislation and is directly applicable.
GDPR protects EU citizens but will virtually apply to companies even with just online footprints in the EU market. According to Forbes, once GDPR is in place, you have to abide by it if you:
- Sell goods or services to EU citizens
- Operate a website that uses technologies to monitor people based in the EU
- Employ any residents of the EU
- Collect any kind of data that may include information about EU citizens
The provisions in the legislation are very comprehensive — any data on anyone in the EU is bait for increased obligations whether through a stricter definition of consent to new requirements on data handling, data processing, data retention, among a whole lot of other stuff listed in the 99 articles covered by the regulation. As it comes with strict data protection compliance, GDPR also provides for severe penalties of up to 4% of your company’s annual global turnover or 20 million Euros — whichever is higher.
You might also be interested to read about planning and building under German construction regulations.
What Does this Mean for the User?
As GDPR gives increased obligations to companies that collect personal data, GDPR gives individuals more power to access information about them. GDPR will basically scrap things like the Subject Access Request (SAR) that allows businesses and organisations to charge 12 Euros on a user’s own data. Under the GDPR, requests for personal information can be made free-of-charge and resulting data should be given within one month.
Tech companies whether big or small have to give users more control over their data. For example, users have the right not to be subjected to automated decisions. For certain exceptions, users should be provided with decision explanations algorithmically made about them.
Additionally, GDPR gives individuals the right to get their personal data deleted in specific circumstances.
Image by requirementone.com
What Happens to Your Personal Data?
According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” But GDPR does not signify to apply to the processing of personal data for national security activities or law enforcement within the EU.
GDPR requires for data controllers to implement measures which meet data protection principles by design and by default. Article 25, entitled Privacy by Design and by Default, require that “protection measures are designed into the development of business processes for products and services”. This includes pseudonymising (like encryption) personal data by the controller the soonest time possible.
Moreover, personal data can only be processed if there is at least one lawful basis to do so. The lawful bases are as follows:
- Consent has been given for specific purposes.
- Data processing is necessary for a contract.
- Data processing is needed for compliance with a legal obligation required of the controller.
- Data processing is necessary to protect vital interests of data subject or another person.
- Data processing is necessary to perform a task carried out in public interest (or exercise of official authority vested on controller).
- Data processing is needed for purposes of legitimate interests pursued by the controller or third party, “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
GDPR and Data Recovery
Adding to the obligations that GDPR requires from businesses, is “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. In order to comply with this strict insistence on timely recovery, companies must have a flexible recovery plan in order to properly respond to any kind of data corruption or data loss event.
Preparing for GDPR
Any individual, organisation and company that are controllers or processors of personal data will be covered under GDPR. Whether you’re a startup or a big business, GDPR will be demanding more accountability and compliance from you for handling people’s personal data — this includes data protection policies, data protection assessments and data documentation on how data is processed.
For companies having more than 250 employees, GDPR requires documentation of personal data collection and processing and why they’re being collected, including descriptions of information kept, how long they’re held and the technical security measures used. For companies with large-scale systematic monitoring of personal data, you must have a data protection officer (DPO). The DPO will be responsible for reporting to senior staff members about GDPR-related issues including compliance monitoring and communicating GDPR information to customers and other employees.
In certain situations, companies will have to obtain consent to process personal data. For companies needing consent to lawfully use personal data, GDPR requires a clear explanation of consent with a positive “opt-in.
Image by istorage-uk.com
SaaS and GDPR Compliance
Thanks to software-as-a-service (SaaS) solutions, modern businesses have been benefiting a lot when it comes to digital agility, flexibility and scalability while saving time and cost. The ease from SaaS offerings now comes with the price of strict GDPR compliance. As SaaS-centric organisations and companies will be particularly affected by GDPR, here are a few tips to avoid the cost of noncompliance:
- Although GDPR is mostly an IT issue, all other departments of your company must be informed by its impact. To address these impacts, it would be a great idea to assign a team to address this cross-departmental issues.
- GDPR is 88 pages long that contain 99 articles. Make sure you and your company know the requirements. Communicate to your employees and your customers vital stuff like how to avoid breach and what to do in case a breach happens. Make sure you familiarise yourself with the information available at the GDPR website.
- Evaluate your existing compliance processes and methods under the new GDPR rules.
- Check your tech stack to see if it provides the visibility and control that GDPR requires. Make sure the tools and security measures you use help you prevent any kind of breach.
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.” — Elizabeth Denham, UK Information commissioner
Read more about health, safety and quality regulations in the UK.
GDPR in Construction
A lot of construction businesses, especially those who aren’t using construction tech and tools, still believe that GDPR will not affect them. They overlook the fact that how they handle employee data may be subject to GDPR scrutiny. Most modern construction businesses do not employ workers directly and personal data about individual workers are procured and communicated by third parties. With the advent of modern construction tech and tools, data exchange between various shareholders in a construction project is common. Personal data within construction projects are also collected through worksite access cards and CCTV. Personal data about customers and suppliers are also handled by construction businesses.
The smarter a construction project is and the more digitalised its processes are, it collects more data with which GDPR compliance should be checked.
As a construction business, here are the main points of GDPR data processing you would want to comply with (as summarised from above):
- Always process personal data lawfully, transparently and fairly.
- Only collect and process data based on specific and legitimate reasons.
- Only collect the minimum possible amount of data that your company needs in relation to your purpose. Additionally, only keep data that is required to be kept.
- Make sure data collected and processed are accurate and updated — those that aren’t should be reviewed or deleted.
- Delete data that is no longer needed for any given purpose.
- Always store data securely.
Although GDPR is purely a regulation in the EU, it will definitely have a huge global impact. Compliance is crucial for organisations affected but most especially for companies that are dependent on SaaS solutions. With GDPR forthcoming and the high stakes that come with it, it is imperative to know what you are in for. To end this article, we will quote Elizabeth Denham again with a short but powerful one-liner:
“We’re all going to have to change how we think about data protection.”
Check out more worksite compliance and productivity insights in our free ebook.
The post How GDPR Will Change Personal Data Control and Affect Everyone in Construction appeared first on APROPLAN.