The entry of the General Data Protection Regulation (GDPR) has today marked a milestone for individual privacy rights. Today, digital technology profoundly affects our lives, from the way we connect with others to the way we interpret the world. For this digital transformation, the ability to store and analyze large amounts of data is fundamental in order to generate deeper insights and more personal customer experiences. This helps us achieve much more than ever, but it also leaves an extensive trail of data, which includes personal information and confidential business records that needs protection.
What is GDPR?
The GDPR is a European Union (EU) privacy law that is affecting the businesses around the world after it came into effect on May 25, 2018. The goal of this regulation is to protect users and their data by making them aware of how companies use their personal information. Apart, it is able to eliminate data that companies store, or prevent them from continuing to collect information.
Finally, companies should study how to manage protection processes. They should know how to protect new systems to implement the principle of “privacy by design”. Moreover, organisations whose main activities include the processing of large amounts of personal information should have a person in charge of data protection. Although these measures are to reduce the likelihood of an information gap, in the event that it occurs. And, organisations will be obliged to report it within 72 hours to the competent authority.
Moving further, in this article I will tell you that why the GDPR is vital to safeguard the individual privacy rights.
Why is the (GDPR) General Data Protection Regulation important?
In essence, the GDRP exists to protect the personal data of individuals, which ensures that there are adequate levels of security, governance and administration of such data to help prevent its misuse or to reach the wrong hands. In order to ensure that your company is effectively protecting personal details and confidential information that is relevant to your compliance needs, you must implement solutions and processes that allow your organisation to detect, classify, protect and monitor the most critical data.
CHANGE IN PRIVACY LAWS DUE TO GDPR
The GDPR will provide more privacy rights to the people across the globe whilst also establishing the essential obligations for organisations.
Extension of the rights:
The GDPR offers extended rights such as the elimination, restriction and portability of personal data.
The GDPR requires organisations to implement appropriate security policies and protocols, conduct impact assessments on privacy. It also maintains the detailed records of data activities and allows to enter into written agreements with suppliers.
Security notification and data breach:
The GDPR requires organisations to report certain data breaches to data protection authorities, and under certain circumstances, to affected data subjects.
New requirements for profiling and monitoring: The GDPR also imposes additional obligations on organisations involved in profiling or monitoring the behavior of individuals.
Binding corporate rules (BCR):
The GDPR officially recognizes BCRs (which Salesforce offers for some of its services) as a means for organisations to legalize transfers of personal data.
TRAIN YOUR EMPLOYEES ABOUT DATA PROTECTION UNDER THE GDPR
Managing your employees
A lot of personal data about employees is needed to manage their career in your company.
For example, you need a lot of information to ensure:
- remuneration and mandatory social declarations;
- the maintenance of the single staff register;
- the administrative management of staff;
- work organisation (example: employee’s optional photograph for internal directories and organisation charts);
- the social action paid by the employer (example: information concerning the employees’ right-holders).
Ask your employees only the information they need to do their jobs. If you have to deal with them, special obligations apply.
You have specific information of your employees (bank details for payroll, social security number for social statements, etc.). Make sure you keep it confidential and secure. Thus, only authorized persons must take cognizance of it. The actions on the data made by the authorised persons must be recorded (who connects to what, when and to do what).
Inform your employees whenever you ask them for information. For eg., update of administrative data, request for training, evaluation interview form, etc.
Finally, always remember that your employees can ask you for a copy of all the data concerning them that you hold. This also includes copy of a payslip, state of a time-saving account, records of badgers, or messages sent via the professional email. This even includes when an employee is no longer in post or is in dispute with you.
Recruitment of a new employee
When you recruit a new employee, you can not ask all the candidates for anything. Only the information relevant to the vacancy can be collected.
Information on the employment held by family members is not related to the candidate’s skills in the proposed job. Moreover, it is not necessary at this stage to ask the candidates for their social security number.
Inform candidates what you will do with the data they give you, who will access it (HR service, a provider?), How long will you keep them, how they can exercise their rights over their data.
In particular, candidates must be able to access their data, have it corrected or deleted.
Once you have selected your new employee, remove the information on unsuccessful candidates.
Limits to controlling the activity of your employees
The job code allows you to control the activity of your employees. New technologies obviously facilitate this control. But, there are some restrictions. Even in the workplace, an employee has the right to respect for his private life and the protection of his personal data.
Two simple rules to remember:
Do not abuse your power!
The surveillance must be based on a legitimate interest for the company. Like to limit the risks of abuse of a too personal use of the Internet or the messaging during his working time. Also, employees should not be under constant surveillance. For e.g., securing a business location does not require an employee to be permanently filmed at their workstation. One more example: a tool for geo-location of vehicles operating a tour each morning to customers used to optimize your organisation should not be used for any other purpose.
Try to consider the representative bodies of the personnel for any consultation, when they exist; employees must receive information of the implementation of a monitoring system. For example, the charter of use of the IT tools, note of service, an amendment to the employment contract, etc.
Depending on the technologies that you use to exercise your control. This may include (CCTV, geolocation, listening and telephone recordings, etc.) special rules may apply.
Educate and train your employees!
The protection of the personal data of your employees and your customers is not just the business of lawyers or computer scientists. All of your employees must be aware of this issue. They are concerned as professionals in relation with your customers, your suppliers, your service providers, and as citizens.
Some simple points of attention:
Raise awareness of the rights of data subjects so that requests received in any service are clearly identified and applied. Example: customer service receives a request for opposition to receive advertising and forward it to the marketing department.
Raise awareness about the internal rules for the management of personal data. In this case, we can only access the data we need, we must not divulge data to unauthorized third parties. Also, archived files, regular backups of files, etc. are only accessible to certain people.
Make yourself aware of the basic rules of security. For example: complex log-in and personal password, locked workstation as soon as you are absent. Do not store professional documents on personal tools, etc.
Take advantage of the establishment of the GDPR to educate all your employees. Explain them about the rules to follow in terms of data protection and disseminate your computer charter.
If you have a quest of knowing more then get in touch with me, I would be glad to answer your queries.