Be guided by a GDPR consultant
Due to the operational measures associated with it, the GDPR is strongly linked to ICT. Nevertheless, this is essentially a process in which governance (Board) plays a crucial role. “Regulation requires a company to take measures based on risks.” Europe does not prescribe any concrete steps in this regard, but does oblige a company to correctly assess and hedge risks.
That is precisely why many companies still have questions about the GDPR. Basically, the bottom line is that the company’s top management must be aware of the risks. As a result, top management must provide the organization with the resources it needs to protect the data.
It automatically follows that the operational management of the company must also be able to estimate the risks. Close cooperation between ICT and the company’s legal department is therefore imperative. That cooperation will be necessary. The IT department at the operational level is usually not always familiar with the legal aspects of the use and security of data.
At the same time, more awareness is needed at the level of the end users. Ultimately, these are the people who get to work with the data. They need to know more about possible threats and the vulnerability of data. In other words, there is also a role for the HR department and, for example, through the training of employees.
Legal basis for processing according to the GDPR legislation
The GDPR attaches great importance to legality, proportionality and transparency with regard to the collection and processing of personal data and the rights of the data subjects.
The GDPR provides that before processing the personal data, the controller must clearly determine the purpose and indicate what he uses the data for.
It is therefore important that you make a good inventory and describe the purposes for which you are going to collect and process, for example, member and user data. You may not simply change or expand the purposes during the processing process.
The GDPR also lists some legal purposes that justify processing:
* Contractual basis (necessary for the execution of an agreement, e.g. an employment contract)
* Legal obligation (necessary for the execution of a legal obligation, e.g. imposed in a decree)
* Public interest or public authority (assigned by law, e.g. to the police)
* Vital importance (e.g. for urgent medical reasons)
* Legitimate interest (activity is otherwise not feasible), only if this outweighs the interest, rights and reasonable privacy expectations of the data subjects
* Unambiguous consent (free, active and specific consent of data subjects)
For each legal basis, it must be ensured that the data is kept to a minimum in order to comply with the processing. For example, in an employment contract, the sexual orientation usually has no purpose or reason for existence.
Legitimate interest and unambiguous consent can only be used as an application if the other legal objectives do not apply. For example, employers must first base themselves on a legal or contractual obligation and only then as a last resort and exceptionally (even that is open to dispute) they can base themselves on permission or legitimate interest. (e.g. with e-mail check)
Make sure that every decision and measure you take passes the proportionality test or, in other words, always ask the following question when processing;
“Is it really necessary in view of our objective to:”
collect and further process this data?
Are there maybe other ways?
to keep this data for that long?
to give all these persons access to the data?
to continue to associate this data with a specific person, or can we pseudonymise or better anonymize it?
Transparency (for natural persons)
In accordance with the principle of transparency, information and communication with data subjects in connection with the processing of personal data must:
be concise, simple, accessible and understandable;
Clear and simple language must be used.
When communicating with those involved about:
the identity of the controller;
when requesting permission for processing;
as well as in the target descriptions;
in raising awareness of risks, rules and safeguards;
existence of profiling and its consequences;
explaining their rights
For specific processing of children’s data, in such clear and simple language that the child can easily understand it.