5 obligations for businesses arising from the GDPR
Data protection, pseudonymisation, record keeping, data protection officer and immediate reporting of data breaches. These are the five most important obligations for businesses that the GDPR will bring in May.
The European Union's new General Data Protection Regulation (GDPR), which will come into force in May, brings a number of changes. It regulates not only the rights of citizens but also the obligations of businesses.
The GDPR will affect completely all companies with more than one employee. It may not even work on the internet. Businesses will have to make huge investments in software and process modifications in their companies. The following lines summarize the five most important obligations that the introduction of the GDPR implies for businesses.
Data protection
GDPR expands the definition of personal data. New personal data will also include email, phone number, photographic record, IP address or the much-discussed cookies. The Regulation also adds a new category of so-called genetic and biometric data. These data, as well as data on racial or ethnic origin, political opinions, health or sexual orientation, will only be processed under a very strict regime.
Pseudonymisation
Pseudonymisation of personal data is a process whereby identity is hidden. The aim of pseudonymisation is to be able to retrieve further details of an individual without needing to know exactly who they are. Various keys and encryption are used to do this.
Record keeping
From May, data controllers will no longer have to comply with the so-called notification obligation with the Data Protection Authority (DPA) before they start processing that data. But they will now have to keep records of all activities related to the processing of the data.
Data Protection Officer
In particular, the GDPR introduces a new function of independent controller, the Data Protection Officer (DPO), into corporate life. His/her main task will be to monitor the compliance of personal data processing with the obligations arising from the GDPR. In addition, the DPO will conduct internal audits, train staff and take care of the entire internal data protection agenda.
Reporting of stolen data
Every serious data breach, every data theft and every unauthorized access to personal data will be reported by data controllers within 72 hours at the latest. So it should no longer be the case that we only learn about such cases of massive personal data leakage after several years.