What GDPR compliance means for my business?

16 July 2019   /  Articles

[vc_row][vc_column offset=”vc_col-xs-12″][vc_column_text]GDPR is a legal act which regulates personal data protection and basically grants people a set of rights. This allows them to limit, cease or modify processing of their personal data by data controllers and data processors. What does it mean though and how to be GDPR compliant?

Personal data

GDPR states that any and all data which allows to identify, either directly or non-directly, a natural person, is personal data. Some of such data might be name and surname, e-mail address, a phone number, IP address. Nowadays, a lot is considered as personal data – even so called “metadata” or some of the “cookies”. Thus, you need to carefully analyze what information that you collect falls under the definition.

Do I “process” personal data?

Processing data is, pretty much, everything you can do with it: managing, storing, collecting, modifying and deleting. But are you a data controller or data processor? Data controllers decide what is the data collected and used for and with what means. They have main interest in processing data. However, sometimes they ask other entities to do some processing activities for them. For example you may use a hosting provider to store your databases or an external IT support to manage servers. Such external companies that perform certain tasks with an access to or responsibility toward personal data are data processors.

When should I worry about GDPR compliance?

Basically, GDPR is usually applicable if the processing is done for business purposes at least partly by any automated means (for example data will be stored on a computer) and:

1. data controller is based within the EU; OR

2. processing concerns data subjects who are in the EU in the context of offering them goods or services (even for free) or monitoring their behavior (if the behavior takes place in the EU.

So if you are a data controller or a data processor and GDPR is applicable based on the above, you must take necessary steps.

How to become GDPR compliant?

Seems like you need to be GDPR compliant even if you are not from the EU? The first step is to ensure that you have a legal basis to process data. Most of data controllers other than public authorities base their actions on a consent of a person whose data is being processed (data subject), performance of a contract with a data subject and/or their legitimate interest. Whenever a data processor is involved, a data processing agreement (DPA) must be signed. GDPR specifies what must be included in a DPA.

When correct legal basis for processing is identified, you need to check if you provide the data subject with information on the scope of the processing and some other details regarding yourself. This is one of the key obligations you may have because GDPR is all about transparency – the idea is to make sure that people understand who and how processes their personal data and what are their rights.

The above might have sounded a little overwhelming, however, to be honest, this is just the beginning. GDPR sets a number of rules on how much data you can collect and what can you do with it. Moreover, there are public authorities in each country of the EU that can enforce GDPR. They can not only require you to stop processing activities that are not GDPR compliant, but also to show proper documentation or to pay huge fines.

What also is the fact, GDPR can be used as an opportunity to way to improve the quality of data you are processing and security levels within your company. You can call it a pain, or an opportunity, but in any case, make sure you are compliant 😉

Author:
Grzegorz Leśniewski – attorney at law [/vc_column_text][/vc_column][/vc_row]

Share

Share

Need help with this topic?

Write to our expert

Mateusz Borkiewicz

ATTORNEY AT LAW, Partner

+48 663 683 888 Contact

Articles in this category

Basic obligations of intermediate service providers according to the DSA

Articles

More
Basic obligations of intermediate service providers according to the DSA

Artificial intelligence – what it is (from a legal point of view) and how the world is dealing with it

AI

More
Artificial intelligence – what it is (from a legal point of view) and how the world is dealing with it

The new Internet Constitution is now in force

Articles

More
The new Internet Constitution is now in force

CREDITS IN VIDEO GAMES

Articles

More
CREDITS IN VIDEO GAMES

New Partner in LBKP!

Articles

More
New Partner in LBKP!
More

Contact

Any questions?see phone number+48 663 683 888
see email address

Hey, have you
signed up to our newsletter yet?

    Check how we process your personal data here