Each individual has the right to not only access their data but also to transfer and reuse this data across multiple services. According to article 20 of the GDPR this must be done in a “structured, commonly used and machine-readable format”.
Right to be Forgotten
If an individual requests to have their data erased finland telephone numbers or withdraws consent then you have up to one month to do so. There are certain circumstances where you can refuse to erase the personal data such as if the information is needed for public health purposes. It is also your responsibility to inform any third party who may have required the personal information of the individual about the request to be forgotten.
Data Protection Officers
If your company lays within the public authorities OR you require a large level of individual monitoring OR your data controllers deal with data relating to criminal offences then you will be required to assign a data protection officer. This person can be hired internally or externally but must have the relevant experience. They will be reliable for the monitoring of data, making sure your company stays compliant with the GDPR and of the training of employees. They will also be the first point of contact for both the supervisory authorities and individuals. For a full description of the data protection officer role and guidance on whether you should be hiring someone, visit the ICO’s website.
Extra-Territorial Scope
Remember how at the beginning of this article I said that the GDPR applies to all companies that process consumer data in the EU, whether or not that company is actually in the EU itself? Yeah, that’s the extra-territorial scope. The laws have always stated that any company that processes data within the EU falls under the territorial scope and this will still apply when the GDPR regulations come into play. The difference now is that the regulations will also apply to data controllers processing personal data of EU citizens outside of the EU. This has been made explicitly clear.
Privacy by Design
OK, so this is a new one for data controllers to get to grips with. Previously, although you would have to take the correct measures to ensure that personal data was protected, you wouldn’t have to actually design it. So, what do I mean by this? Basically, in short data protection must be a core consideration from the get go when designing and implementing software, not just an extra addition. Secondly, data controllers must only process data that is absolutely necessary and only store it for as long as needed.
So, these are the main areas of the GDPR that we feel to be the most important. However, every company is different and will need to make their own changes. The best way to get prepared is to take a series of self-assessments, which you can find here. You will receive guidance and advice on what your next steps of action should be, along with an overall rating.
Salesforce have provided some guidance on GDPR too. Read the post from Pardot here.
Please note that we are not giving legal advice on this subject. We are simply conveying our understanding of the GDPR changes.