Are you confused about General Data Protection Regulation? If you need a very general update and what it is, and how it affects your business, stay on this page!
GDPR is an EU law with mandatory rules for how organisations and companies must use personal data with integrity and in a friendly way.
Personal data may relate to customers, associates, employees or suppliers and may include any information which, directly or indirectly, could identify a living person. Such as name, phone number and address, interests, purchase habits, health, online behaviour.
Processing data means collecting, structuring, organising, using, storing, sharing, disclosing, erasing and destruction of data. All organisations which process personal data must comply with the GDPR guidelines...
The main requirements of the GDPR are as follows:
Collecting data
Organisations must only collect and store relevant personal data and must not collect personal information in case it may be useful later.
Data processing must have a defined purpose
Organisations must only store personal data as long as it is necessary.
The processing of data must be safe and secure.
Communicating GDPR
Organisations must be honest, open and transparent about how the data is collected and used.
Use Privacy Notices and Policies on the organisation website and as part of contractual and service agreements.
Organisations must have and maintain formal processes that show that they comply with the regulations.
Understanding the rights of the individual
Individuals have the right to gain access to the personal data held by the organisation.
Individuals have a right to know how an organisation is using the data, and if required, they can object to the processing or collection of the data.
Set up process for addressing data breaches
If personal data is disclosed, accessed, changed or stolen the organisation is responsible to inform the individuals concerned within 72 hours.
If you are an organisation which has hired another company to process data on your behalf, you are the “Controller” of the personal data. The hired company will be the “Processor”. For this business relationship, you need a Data Processing Agreement (DPA).
A DPA sets out rules for how the Processor may use personal data to fulfil the purpose of the commercial agreement.
In the event of loss of sensitive data, such as health or financial data, the incident must be reported to the relevant authority.
Assign a Data Protection Officer (DPO) to your organisation
The DPO should work as the main operator and the expert on your organisations’ privacy work.
The DPO should be reported to the responsible data protection authority in the country your organisation is established.
Virtual Assistants and GDPR
The above information is a short summary of GDPR and how to address the main requirements. If you are working with a Virtual Assistant, make sure they have a GDPR process in place and be sure to sign contracts to protect your data.
If in the UK ensure they are registered with the ICO - Information Commissioners Office. The ICO regulates data protection in the UK. They offer advice and guidance, promote good practice, monitor breach reports, conduct audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate.
Visit www.ico.org.uk
For more information on GDPR click here
Contact LocalVPA for more information on hiring a VA!
Commentaires