What is GDPR?
All companies use personal data. Regardless of whether you run a one-man business or have several hundred employees, the EU's new personal data regulation applies to you.
If a company registers personal data electronically or otherwise, they are subject to the new regulation.
In short, the new regulation means that you are allowed to register employee and customer data, but you must be able to account for the reasons for and purpose of keeping the data and when and how you are going to delete them, when they are no longer relevant to you.
The new personal data protection regulation will be in force from 25 May 2018.
What should you do?
1. Create an overview of your data: Which types of data do you handle, why do you handle them, for how long will you have them, where do you get them from, and which purpose do they serve?
2. Establish deletion rules: You have a duty to inform the customer of what the purpose of keeping their data is and for how long, you are going to use them.
3. Get your data processing under control: Make sure that you have data processing agreements with your subcontractors, who handle personal data on behalf of your company – for example an auditor or a wage administration office.
Source: Jon Lauritzen, lawyer at Delacour
What does GDPR mean for you?
The new regulation has the purpose of protecting people’s rights to privacy and to their own data. You should view your customers’ data as being on loan. This does not mean that you’re not allowed to use personal data – only that you must consider how you use them.
The regulation applies to anyone who handles personal data. By handling, they mean gathering, storing and registering. By personal data, they mean information that are able to identify a person. So in short: it covers just about everything!
With the new regulation, people having their data registered have several rights, which you should be aware of; the right to have their data deleted, the right to insight into the registered data, the right to make corrections to the data and a duty to be informed when their data are gathered.
Which types of personal data are covered?
Now, which data can identify a person? Of course, you have their name, address, personal identification number, phone number, email address, income, shoe size and image. But that’s not all. Because personal data also cover e.g. private information such as religion, sexuality, political persuasions and illnesses.
Personal data only relate to people - not companies. Thus, you are allowed to keep names, addresses and phone numbers on companies.
The consequences
There could be consequences for not being on top of your personal data. You could either get a reprimand or a fine from the data protection supervisory authority. But you could also risk to loose trust, your good reputation and even customers. You could also risk having damages or compensation imposed on you.
The lawyer's opinion
Will the personal data protection regulation ever really come into play? The personal data protection regulation is only just starting up, so you might as well get started right away.
Will the data protection supervisory authorities target small installation companies at all? Yes, they will. The regulation applies to all companies that make use of personal information. We’re not able to predict the extent of the authorities’ actions, but I expect them to contact more or less all companies.
Where do I start? If you don’t have any deletion rules you should start with establishing some. And then get a data processing agreement if you, like most companies, make use of a data processing provider.
Source: Lawyer Jon Lauritzen, Delacour