By Mirela Cazacu, DPO & Quality Manager @ Euroanswer
In order to build particular relevance and efficiency for our clients and employees, we are constantly sharping our technological expertise and keeping the pace with latest developments.
The latest priority of the business environment is focusing on the new European General Data Protection Regulation especially knowing that non-compliance might lead to high fines. Looking beyond the punitive measures, the regulation means to cover the gaps within the local regulations of the European Union member states and it aims to encourage the free movement of the personal data by increasing trust – between companies/public bodies and data subjects. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to organisations and individuals
The new GDPR replaces the Directive 95/46/EC from 1995, an important component of the European Union privacy and human rights law – on which in 1998 UK developed their more extensive Data Protection Act.
We started building our compliance in Euroanswer by appointing our Data Protection Officer who represents the interface between the company and the Data Protection Authority – on one hand and on the other – between the company and the data subjects. The DPO has the role to inform & advise the management & employees (data subjects) about their obligations, to monitor the overall compliance and to provide information to the Data Protection authority.
The main individual rights the GDPR is defining are: the right to be informed, the right of access, the right to rectification, the right to erasure (from the famous “Right to be forgotten set by UK DPA”), the right to restriction of processing, the right to data portability, the right not to be subject to automated decision-making (including profiling).
The organisations need to ensure that all these legal rights are protected – by successfully combining effective security measures and specific frameworks and procedures. An important part of the compliance is to create the awareness within the organisation as the employee error continues to be the highest risk. The awareness programs should include clarifications related to risks but they need to also offer means for the employees to be able to identify a possible breach and at the same time to encourage them to report it (a big percentage of those reporting the issues is represented by the customers).
Before we started drawing our map of compliance we searched for tools, best practices, clear examples on how to support certain situations. A very consistent source we discovered in Article 29 Working Party’s website: http://ec.europa.eu/newsroom/article29/news-overview.cfm.
Art.29 WP is a group made up of all the national regulators from each country in the European Union, which has 28 members (including the U.K. until Brexit) and which will become the European Data Protection Board on May 25. The group provides independent advice to the European Commission on all things related to data protection. Data protection laws are complex, and each market within the EU has different dynamics, so the group aims to harmonize and streamline the implementation of the law. On the above-mentioned site, we found useful templates, case studies, articles explaining bits of the Regulation. Worth mentioning that when the new board will officially start its new role, it will also have the legal power to make final decisions on issues such as disputes within the group, should regulators from different countries disagree with each other.
A positive aspect when implementing GDPR is that, while vital processes need to be set in place, in terms of papers – there is one single mandatory document that needs to be developed by the organisations – the Register of Data Processing. Every organisation, regardless of its size, that keeps data on its personnel, clients and/or suppliers or other persons will have to maintain an updated record of its processing activities.
At Euroanswer, being a medium-sized company, the implementation was based on a Data Mapping to determine what personal data we handle and which are the processing flows across the departments. Following this, we ran an Impact Assessment analysis to determine the important areas and the priorities, which were translated in steps of the implementation.