What is the GDPR?
GDPR stands for General Data Protection Regulation and is, in short, the new data privacy law to protect the personal data of EU citizens.
The data protection demands:
- appropriate technical and organisational measures in relation to information security (firewall, anti-virus, anti-phishing, etc.)
- appropriate procedures like e.g. obtaining active consent of data subjects to process their data
The GDPR comes into force on 25 May 2018, so we’d like to inform you upfront on how Graphius already prepares for this new privacy law. Simply storing personal data is already processing it, which makes us a data processor. This means we need to comply with certain rules, for example, when we receive a mailing list from one of our customers containing personal data (names, addresses, …). These rules need to be clear for our organisation as a whole.
What are the steps we will take?
Initially we create a mandatory inventory of all data processing activities (article 30). This inventory holds the lawful basis for processing personal data from suppliers, customers and personnel and the type of data we process for them. So when we receive personal data from our customers, we will place greater emphasis on processing this data and register the processing in the inventory for accountability.
This means recording the owner of the data, the processing purpose, all access to this data and so on. One of the reasons we’re doing this is the fact that we need to create insight into all personal data (and locations thereof). This is because any EU citizen has the right to e.g. rectification, erasure (the right to be forgotten), restrict processing and data portability (article 20). For this reason we need to know the existence and location of this data.
How and where can I get more information?
Although we are not strictly obliged to do so, we will assign a certified DPO (Data Protection Officer). This person’s role is to regularly audit the compliance with the GDPR, provide the necessary procedures, and answer all internal as well as external questions regarding the GDPR.
You can get in touch with our DPO (Hendrik Van Haele) via firstname.lastname@example.org.