General Data Protection Regulation (GDPR)
You are probably here because you have heard about the GDPR and are full of questions. Maybe you've read something in the news, or read the European Union website (but probably not). And now you are curious about it and the consequences for your business.
Personal data are all data of an identifiable natural person. This involves information that is either directly about someone or can be traced back to a person.
Every organisation that is located in the EU or that is collecting, recording, organising, structuring, storing, adapting or altering, retrieving, concerned with consultation, using, transmitting, disseminating or otherwise making available, doing alignment or combination, restricting, erasing or destructioning personal data of people situated in the EU must comply with GDPR.
You have to comply with GDPR for a couple of reasons - not only because it's a law! Think of your financial costs in case you have to recover data. And consider your reputation because you are GDPR compliant - your clients really appreciate that they can trust you.
When people learn about the GDPR the first question they have is: how to comply with GDPR? Do I really need a data protection officer? Do I need expensive consultants?
A data protection impact assessment (DPIA) is necessary if a type of your data processing might result in a high risk to the freedom and rights of natural persons.
In order to comply with GDPR, the first thing you have to do is a record of all your data processing activities - we call it a processing index.
Whenever you collect personal data from a natural person you have to inform the person about who you are, the purpose of the processing, recipients of the data, how long you are keeping the data,... One way to inform people is in a privacy statement.
It depends on the scope and purpose of your data processing activities, whether you need a data protection officer (DPO) or not.
Data processors are processing data on behalf of the controller. You need to ensure that your processors are GDPR compliant.
With appropriate technical and organisational measures you must protect the personal data for which you are responsible and ensure processing in accordance with the principles of the GDPR.