Data protection
Better rules for small business
Stronger rules on data protection from 25 May 2018 mean citizens have more control over their data and business benefits from a level playing field. One set of rules for all companies operating in the EU, wherever they are based. Find out what this means for your SME.
What is
personal data?
- Name
- Address
- Localisation
- Online identifier
- Health information
- Income
- Cultural profile
- and more
This is for you too.
Why change
the rules?
It's about trust...
A lack of trust in old data protection rules held back the digital economy and quite possibly your business.
of people feel they have complete control over the information they provide online.
And helping business boom...
One set of rules for all companies processing data in the EU
Doing business just got easier and fairer
New rules boost consumer confidence and in turn business.
What your company
must do
Protect the rights of people giving you their data
Communication
Use plain language.
Tell them who
you
are when
you request the
data.
Say why you are
processing
their data,
how
long it will
be stored and
who receives
it.
Consent
Consent is one of the legal
grounds
for processing data
(together
with contract, legitimate
interest,
legal obligations, etc.).
If you rely on it,
consent
should
be given by a clear affirmative
action.
Access and
portability
Let people access their data
and
give it to another company.
Warnings
Inform people of data
breaches
if there is a serious risk to
them.
Erase data
Give people
the ‘right to be
forgotten’.
Erase their
personal
data
if they ask,
but
only
if it doesn’t compromise
freedom
of expression
or the ability
to
research.
Profiling
If you use profiling
to
process
applications
for
legally-binding
agreements like
loans you
must:
- Inform your customers;
- Make sure you have a person,
not
a machine, checking the
process
if the application ends in a refusal; - Offer the applicant the right to contest the decision;
- Ensure an appropriate legal basis to carry out such profiling.
Marketing
Give people the right
to opt
out
of direct marketing
that
uses
their data.
Safeguarding
sensitive
data
Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
Children's data
Collecting data from children
under
16?
Under the GDPR you must
get
parental consent. However, each
EU
Member State can lower this
threshold to between 13 and 16
years
of age, so check the age limit.
Data transfer
outside
the EU
Check availability of transfer tool like model contract clauses when there is no adequacy decision for the country of destination.
Do data protection by design
Processing data for another company?
Make sure you have a watertight contract listing the responsibilities of each party.
Check if you need a data protection officer
Keep records
Name and
contact
details of business
- Reasons for
data
processing
- Description of
categories of data subjects and personal
data
- Categories of
organisations receiving the data
- Transfer of
data to
another country or organisation
- Time limit for
removal
of data, if possible
- Description of
security
measures used when processing, if possible
Name and
contact
details of business
Anticipate with impact assessments
-
New technologies
-
Automatic,
systematic processing
and evaluation of
personal
information -
Large-scale
monitoring of a
publicly accessible area (e.g. CCTV) -
Large-scale
processing of sensitive
data like biometrics
The cost of
non-compliance
Warning
Reprimand
Suspension
of data
processing
Fine
Up
to €20
million
or
4%
of
global
annual turnover