GDPR is a risk mitigation process with strict focus on DATA (company data, personal data and delicate data). The company has to look at each single piece of old and new data and decide what to do with it. The longer they decide to keep it the bigger the privacy risk. Don’t forget GDPR also apply to any print, photocopy or documents in your filing cabinets. US Privacy Shield is smokescreen trying to circumvent EU’s data protection law looking for an easy solution to a very complex matter of giving the control of personal data back to its owner! While you are using it, you must “PROTECT IT” and subsequently “DELETE IT”, when it no longer serve its main purpose, or the “DATA SUBJECT” (Consumer) so requires!
DATA is the new gold, DATA has now taking its a form of its own and BIG DATA is what runs everything sales and health related, GDPR is the golden standard for privacy and protection of personal data belonging to the “DATA SUBJECT”. That’s why DATA must be accounted for! GDPR therefore is not just another task for the IT department, they will be happy for you just to increase their budget, but this time it starts at Board Level and requires different processes and management oversight in each company. There are NO standard software program for for GDPR, no matter what you see advertised. Processes have to be analyzed and established to track personal or delicate data, and when the company have decided how to do it, then the task is passed on to the IT department. To be in compliance with GDPR you must be able to demonstrate how personal data is used or deleted, it must have “Privacy by Design” and some sort of encryption or similar system separating the data from the “DATA SUBJECT” (Consumer).
Under GDPR the EU citizens have the right to ask how their data is used. Remember that under the General Data Protection Regulation, the personal data is no longer YOURS, it belongs to the consumer and have to be accounted for. The “DATA SUBJECT” (Consumer or Patient) must give THEIR explicit consent for his/her private data to be collected and used. And YOU have an obligation to demonstrate how its used, which means you must have tracking on the data like a digital ledger i.e. Blockchain or similar system. You MUST also upon request delete the personal data and be able to demonstrate that it is deleted!
So according to the EU General Data Protection Regulation you must have a DPO – Data Protection Officer to oversee how personal data is handled by your company. He must be independent from the board and the IT department. The DPO is informing the board of any irregularities and the DPO must report any data breaches to the DPA – Data Protection Authorities within 72 hours. The DPO works closely together with your IT department and the DPA in case of breaches to make sure the processes get back on track. You can consider the DPO your internal ombudsman. We all expect breaches to happen but with the right processes in place you will be able to minimize risk and therefore avoid the potential high fines. The fines are currently set at 4% of worldwide turnover or up to EUR 20 Million.
As DATA has now taken its own form and has become MONEY, like any other asset in your company, you should be able to ask two simple questions: How much do I have? And where is it? That leads us to the final GDPR compliance rule. ANNUAL AUDIT, just like with the rest of your company bookkeepings. Through ANNUAL AUDIT you demonstrate exactly How much you have, Where it is and if there were any breaches. If you can do that you can become GDPR CERTIFIED and get a GOLD TRUST SEAL, which means consumers will be able to trust you, driving more business your way. So GDPR is good for everyone!