The General Data Protection Regulation (available in English here: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32016R0679) or more commonly known as GDPR will apply directly from the 25th of May this year. If you are running a business in Estonia and have contact with natural persons (physical persons) it is high time to check whether GDPR is relevant to you if you have not done so yet.
We will outline some key aspects to find out if GDPR applies to your business and should you dig deeper into this new piece of law. Also, if it does apply to you, what are the most urgent matters to attend to.
GDPR regulates the processing of the personal data of natural persons. So what is personal data?
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It is very broad to say the least. But what is data processing?
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Even broader. So if you work with natural persons, chances are you are processing their personal data and GDPR should be of interest to you. Breaching someone’s rights could mean penalties and claims of material and non-material (moral) damages.
There are a lot of principles regarding the processing the data that should ideally be incorporated to your business through internal documents or electronical processes. Some things have to be made clear to the data subject explicitly.
The data subject has to give a consent to processing their data and you have to be able to produce that consent if asked. This could mean either concrete consent via e-mail or being able to prove that the data subject has “ticked a box” and given their consent. The consent can be withdrawn at any time. You also have to clearly define the purposes for which you process data.
At the time of collecting the data, you have to inform the data subject among other things of the period for which the data will be stored, of the right to ask erasure of the data, of the right to lodge complaints, why the data is necessary (is it a statutory or contractual requirement) and the existence of automated decision making.
Lastly we would like to draw attention to the security of processing. GDPR requires that appropriate technical and organizational measures are in place to ensure adequate level of security of the data. This could for example mean encryption or confidentiality and resilience of the processing systems, and also ability to restore the data in case of technical incident. For this, internal documents and rules should be drawn up so compliance could be proved when asked by the supervisory authority.
There are other complexities involved with GDPR but it is important to carefully analyze the different requirements, update or create your internal documents and processes and overall, a lot of the requirements are fulfilled by companies already. We welcome the new regulation and data protection rules.