General Data Protection Regulation seems a bit intimidating at first when you have a vague idea of what it is all about. GDPR feels complicated and most people seem wary of how to comply with it.
What exactly does GDPR entail to citizens and business owners? How is it regulated by private companies and individuals? Are there different policies depending on the scale of business?
We have interviewed Julia Reider, a Data Protection Officer or DPO Consultant for Velvet and the Data Protection Lead of Evolution Gaming. She has extensive knowledge of how GDPR works as she has years of experience being a DPO. She also is the genius behind the combination of human-centred customer service with rigorous protocols, which is the core of the GDPR Module of Cowork.Tools.
Before we deep-dive into the interview with Julia, first things first:
What is GDPR?
According to Wikipedia :
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Julia further explains that the main idea of GDPR is — it’s just made for physical persons to know more about their rights to their data. And in general, also for businesses, GDPR is very good because it makes for good ethics within the company about how the data is used, where it is stored.
She also explains the importance of the regulation by saying that — It is really for the companies to understand more, what effort they have because that is always an asset and value.
And it is not the aim of the GDPR to ruin any business, it is for them to understand what they’re doing. And also for the good of the people who are the users and the clients and the companies themselves.
Who does the GDPR apply to?
There have been a lot of misconceptions about Data Privacy Regulations, but possibly the biggest, is that it only applies to companies and has little to no effect on individuals. That couldn’t be more untrue.
Basically, Julia says that GDPR applies to any legal or physical entity who is processing — processing means doing anything with — personal data of European citizens or with people who are residing in Europe.
This means that— for European citizens that are outside Europe, the GDPR still applies to the data, and non-EU citizens living in Europe, GDPR also applies to them.
What does processing of data mean, though?
Julia then turns with us to look at what processing means. What do you have to do to the data for it to be called “processing? She says that by processing, the GDPR looks at people’s data very widely. You can collect, amend or store this data and that would all be processing .
For example, If you just have it [information or customer data] on a CD for some reason, and we’re talking about their personal data, and you’re storing it on your CD, and you might have already forgotten all about them, those people, but then the GDPR still applies. And if you also use this data for anything, GDPR still applies as well.
What is a GDPR policy?
According to Julia, the term “GDPR policy” is a very broad term but in general, it should explain how any type of personal data has been collected, and how it will be used. And that it has several data subjects to be considered.
One example she gives is about how your employer could use your personal information. She explains simply as something the company needs in order to identify you before you sign the agreement —it could be in a simple bulleted list, in general, to explain what type of data the company is asking about why and how it will be used for how long a period it will be stored. Your employers should be able to explain how they will specifically use your information and to what extent — like your bank account information.
Another example she gives is about companies that collect your personal data like your name, phone number even your email address, or physical address for delivery companies. Their policy should include the extent and restrictions of how and where they are going to use the said information. It should also be stated on how long are they keeping your data stored.
The GDPR policy ensures that your personal data is protected and that it should be only used for its intended purposes.
- Legal Obligation
- Vital Interests
- Public Tasks
- Legitimate Interests
Failure to have any one of these renders the processing of a personal data unlawful. Julia explains further that companies should be able to explain clearly the purpose of data collection. Not only that, the policy should include if the following data collected are to be shared with a third party. It is also important to note that consent can also be easily withdrawn as it has easily been given before.
What data is covered by GDPR?
GDPR is put in place to regulate the use of an individual’s personal data by a second party. While it seems simple enough, personal data is a broad term. One might think that it only includes their name, address, phone number, their ID number or credit number but that is just the basic personal information. There is a lot of information under circumstances that can be identified as personal data.
For instance, your medical history, even if only your name is given, is considered personal data as it pertains to you. Another instance is IP addresses. Normally, people don’t think that it is a part of their personal information, however, IP addresses can actually be used to identify you.
What is not covered by GDPR?
As with everything, there are exceptions to the rule. That is to say, that the GDPR does not exactly cover everything and what does that mean?
One of the things that is not covered by GDPR is how any individual uses their own personal information. It is up to an individual on what they want to do with their personal data, and they can use it however they want.
Another one is some data of companies that are posted for the public.
For example, board members of some public company, even if there isn’t, you know name and surname, and sometimes even if their address is known, but this data is about the company. It’s not considered to be personal information because this company’s public and the law says that this person’s need to be also publicly known. This is like most two types of data, which are not covered by GDPR.
What if there is a breach? What do I do then?
Data breaches are the main issues that the GDPR tackles daily. And what do you actually do when said breaches happen?
Julia says that it depends on your role and the nature of the breach when it happens. For example, you are an employee of a big company, and you have to email 200 people but it is an email that should be personal as it contains sensitive information and you happen to cc all of them. Or maybe you accidentally sent it to someone inside the company, or worse you sent it to a third party that is not the client then that is a breach, Or another instance is, your company is hacked and all information regarding your clients such as their credit card numbers, what you have to do is inform your information security or someone who is responsible for your data security to determine the impact of the breach and decide what is the best course of action to control the breach.
Is sharing an email address or phone number a breach of GDPR?
Julia answers this by saying that sharing this information to third parties is not a breach if and only if the owner of the data has given you their consent to do so. It doesn’t matter if it’s a written or a verbal consent as long as it is given freely. If consent was not given, it’s a breach.
What does GDPR mean for employees?
Julia has given some instances as to where employees have caused a data breach, how direct or indirect it may be. But how does GDPR affect these employees?
She said that the labour law requires GDPR to be included in their company policies. In which case, it depends on the company’s internal rules.
Usually, when it comes to enforcement, the countries enforcing the GDPR look at whether the data processors might be showing have an unacceptable level of tolerance for mistakes that they use to gauge what the punishment would be, — like for first offences may mean verbal reprimands or depending on the gravity of said mistake -termination of employment.
What about companies I share information with about my coworkers, which are not EU based? What do I need to do?
With Brexit happening, Julia explains how it affects data transfers between the UK and USA or other countries post-Brexit.
If you know at the end of July, I don’t remember exactly. I think it was the 27th of July Brexit Issue law which was covering the data transfers between the USA and European Union has been recognized as invalid.
So, in case you use any US software which uses servers in the USA, you need to sign an additional — annex to the contract in order to be covered by GDPR. Because this privacy issue law which was working for years is not valid any more.
But it’s not complicated. You just sign an additional annex which is called Standard Contractual Clauses (SCCs). And so it’s a standard template of European II union which is available on the European Union website. You just ask your American partner to annex and you’re covered.
Do I have to delete my old emails or shred all my coworkers’ posts under GDPR?
Okay about emails, if we’re talking about your private email like Gmail, Yahoo, and so you can do whatever you want with it. But regarding whether we could talk about the corporate email then the company should have a retention policy about the emails and dispose it should state for how long the company is keeping emails. And actually it should be deleted.
And regarding retention, there’s so many terms and all the auditing international auditing companies which store emails only for two years because they consider that email is not a storage is communication channel.
So communication later than two years is not really used and no need and all the valuable information should be stored somewhere else outside outlook. Yeah. And I also know companies who are storing emails for 10 years. I do believe also that they’re still selling companies who are standing in definitely emails, but this is not good practice on the GDPR.
Julia then adds: In general, I would say that the main idea of GDPR is just make it for physical persons to make more right about their data. And I think it’s great because we all know how much spam we are getting in our mailboxes personal mailbox. Yes. So now it’s all illegal. But of course, we are not gonna, you know, complain about each spam to the data service.
There you have it, the basic rundown of GDPR from a data protection officer with 10 years or more experience under her belt.
And Julia leaves us with how the GDPR makes good ethics within the companies to be GDPR-compliant. And that GDPR is an asset and gives companies the understanding of how to protect their customers/clients more. In return the reputation they gain by being GDPR-compliant makes clients like us to trust them more.