On 25 May 2018, the EU's new Data Protection Regulation (short GDPR) will be applied.
In this article, we will tell you what that means for Isolta’s customers and especially for small companies. Most of the issues presented here are already valid so now it is a good time to act.
The regulation has at least two major purposes. It protects our personal information not getting into the wrong hands or used for wrong purposes. On the other hand, it seeks to distinguish personal information from other business-supporting information. Thus we are able to develop our business better on the basis of existing, valid knowledge.
What is personal data?
Personal data is any information related to a natural person, that can be used to directly or indirectly identify the person. Any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification is called biometrical data (reference from GDPR Portal).
All companies are data controllers
Most important things to consider as a data controller
- Where the personal information is collected
- For what purposes the information is used
- On what grounds the information is transferred to third parties
- How to ensure the data is up-to-date
- How to store data safely
The general rule is that personal data should not be collected more than necessary. You may want to challenge yourself: what kind of personal information do I need from my customers in order to develop my business? Privacy matters should be considered as part of the business development rather than as a constraining factor.
Also everyone should be very careful about transferring data to other parties. Transferring means that you will pass your personal information to the third party "permanently". After the transfer, a third party becomes the data controller for the information you provided.
Moving personal data is a lighter process than transferring. For example, a subcontractor may have temporary access to your personal information. Such “data move” is usually possible as long as the subcontractor commits to the same privacy criteria as you. This situation becomes more complicated if a subcontractor is outside of the EU or the EEA, and we highly recommend to double-check the requirements with data protection specialist in this kind of cases.
Information security is part of data protection
For small companies, the easiest and safest way to protect personal data processing, is to use a reliable cloud computing service. In that way the amount of data on the company's own computers is minimal. Also the computers connected to the network are vulnerable to attacks, so the security in computers and local area network must be at a good level. In a good cloud computing service, security is provided by a professionals and the infrastructure is prepared to handle the possible attacks.
Right to be Forgotten
The person, whose private data is stored, is called Data Subject. In the new data protection claim, the data subject has a lot of rights over his or her own data. E.g. the data subject has the right to ensure that his or her data is handled properly and that the information is correct.
A special feature in the privacy law is that the data subject has the right to remove personal data about themselves. This can cause problems for the data controller because personal data may be unstructured or in many places. The data controller should start thinking about how to save personal information so that it can be easily removed later.
There can be situations where data shouldn’t be removed because it is in violation of statutory obligations. For example invoice contains often personal information but the law requires you to keep your own accounting records for six years so you cannot delete the data.
The service provider helps the data controller
If a data controller keeps the data in a cloud service (e.g. within Isolta’s service) the service provider is a personal Data Processor. The data processor must help data controller to perform his or her duties. The data controller has, for example, the obligation to provide data subjects personal data in structured, publicly usable and machine-readable form. The service provider should provide these tools to the data controller.
If the controller's personal data register has a so-called Personal Data Breach (for example, the username and password gets to the wrong hands), the controller has to report it to the Data Protection Authority within 72 hours. If the register is in the cloud service, and the cloud service provider (e.g. the personal data processor) detects a security breach, it has the obligation to report the violation to the controller. In these kind of situations, the controller should contact the cloud service provider whose customer service helps in the case.
How should I start?
If there is an extensive personal information processing in the company’s activities (e.g. comprehensive customer register or sensitive data), company should always plan data processing activities with data protection officer. It is also possible that a specific Data Protection Officer should be assigned within a company. Another potential commitment is the so-called Privacy Impact Assessment, which should systematically describe the handling, treatment and safeguarding of data.
Of course in small companies there are usually less need for the collection of personal data, so the related requirements are lower. However, it is a good idea for every business to take time and write down what personal information is needed for particular business activities.
In small businesses, private data is often created as part of the customer register and invoices. When you save your data to Isolta, you can be sure that the basic requirements for the data protection are in order. Isolta customer service helps you with issues related to data protection, so you do not need to be alone in this matter.