Short for General Data Protection Regulation, GDPR is a tool and a milestone in data protection for all users and clients when they deal with organisations that may collect such sensitive data. The need came to attention as other data regulations aged unwell and was applied poorly and not in the interest of the people or the client but in the interest of organisations. GDPR is related to the right to privacy and had become effective in May 2018.
GDPR refers not only to names, IDs, addresses, email, and telephone numbers but even to logging details, such as IPs and social media updates. The novelty of GDPR is not only that it requires customers to agree to disclose this kind of data, but also requires organisations to comply with stricter rules when it comes to managing personal data volumes.
GDPR requires organisations to comply with some basic rules: maintain a record of how they process data (purposes, retention, sharing), document each activity, and offer all clients the right to deletion of their data (mostly, if the number of employees of the company is more than 250, which makes it a mid-sized organisation; these rules are somewhat exceptional to smaller firms, but this will be addressed later).
The GDPR requires most organisations to maintain a record of their processing activities, covering areas such as processing purposes, data sharing, and retention.
Now let’s get a bit more technical about ROPA
The famous ROPA, short for Records of Processing Activities, article 30 of the GDPR is the one that regulates how controllers and processors in an organisation handle data volumes and clearly stipulates their obligations, with a firm grip on data protection.
The controller is responsible for documenting organisational or individual details, such as names, contacts, data on controllers from the client, and representatives (such as the data protection officer). But besides this, according to article 30, controllers must also enter the purpose of processing these data, brief descriptions of categories of the processed data, the recipients, any transfer to third parties or countries and the conditions of these transfers, retention-erasure time-limits, and the security measures to protect the retained volumes.
The processor has a different set of obligations, referring to documenting the organisation’s name and contact details, but also: the name and contact details of each controller on whose behalf he processes, of his representative, the categories of data he is processing, third parties or countries the data are transferred to, safeguarding measures for regular and exceptional transfer and description of technicalities of the security measures taken by the processor him or herself.
There is a limited exemption for small and medium-sized organisations. Companies with less than 250 employees and activities cannot harm the rights of individuals or involve the processing of special categories of data, classified or of criminal/offense nature.
How to Achieve GDPR Compliance?
The organisation itself, and the controller and processor personally have a responsibility to maintain the safe guards for data collection to achieve GDPR compliance.
In order to do so, there are a few steps that can guarantee data protection.
- Maintaining a strict up-to-date inventory of the processed data is one of them, and preparing all interested parties within the company helps achieve that.
- Audit and data-mapping exercises can better prepare the people responsible to deal with GDPR regulations accordingly.
- Discipline plays an important part, and the storage of data needs to be well-kept.
- Organizing workshops that explain the category of data that are subject to retention assures a common-ground-vocabulary.
- The chain of data flow must be very well kept and regulated. Data-mapping exercises can test that chain of data flow and the transfer mechanisms.
- When reviewing the mechanisms and performance of people responsible for data processing and retention, keeping the results in writing will be of significant use at a later date.
- Supervision is key in complying with GDPR.
How will this actually help?
GDPR benefits in securing data and clients are not just theoretical, but provide the client with the following safety nets, according to mainly to article 30:
- Data processing becomes transparent and fair, its conditions are explicit and it is firmly regulated to avoid unfair disclosure; processes and workflows will be clear;
- It demands clear consent from clients and potentially affected parties towards the purpose and conditions of use and retention; organisations are responsible to explain what data they collect, for what purposes, and how they will use these volumes;
- Processors and collectors are more self-aware of their duties and responsibilities with collected data, so as to understand the consequences of mishandling and to be held accountable;
- Clients will have the right to be “forgotten”, and can request the erasure of their data from registries;
- Violations of article 30 lead to serious penalties and administrative fines and it is mandatory to report breaches.
Complying with GDPR will make organisations more transparent, and more responsible with the workflows containing personal or sensitive data, and will demand a much higher level of accountability. Personnel involved in collecting, processing, and retention of data will have a much clearer duty to protect these volumes, assure the hygiene of data handling and attach technical and safeguard categories to all data volumes to assure the proper handling even when data leaves the organisation.
Click below for a free consultation with us. We will review your company’s GDPR challenges and put together the next steps for compliance.