The Basics of General Data Protection Regulations (GDPR): What Every Company Should Know about Managing Data
Why it Matters
The standards set by the EU have been the template for most other countries when adopting data privacy regulations. Understanding and implementing GDPR is a good starting point for any company as a basis for privacy and security policy. At Cadence Research & Communications we have adopted GDPR standards as the basis for our policies and adapted as new regulations develop.
In 2016, the European Union (EU) enacted the General Data Protection Regulations (GDPR). It resulted from a series of alarming events including very public data breaches that highlighted the importance of companies taking data protection seriously. The basic principles of GDPR have become the template for most of the other privacy regulations around the world including Asia-Pacific Economic Cooperation (APEC) Privacy Framework, Personal Information Protection Law (PIPL), and California Consumer Privacy Act (CCPA).
Processors vs. Controllers
Before you look at GDPR requirements, you must first understand whether you are a processor or a controller. There are different requirements for each category which are listed in Article 5 and 6 of the European Union (EU) regulations.
Controllers collect and own data. They call the shots about how it will be used and have the responsibility for updating, deleting and retaining data. Corporations, retailers, or hospitals are examples of controllers. Any company with a subscriber base or mailing list would be considered a controller.
Processors handle data on behalf of a controller. The processor follows the direction of the controller. Often services, like travel agencies, or marketing vendors are processors.
For the purpose of this blog, we are covering the requirements for processors.
There are six basic principles in GDPR for processors.
Data must be handled lawfully, fairly, and transparently
This means when a company collects data they must tell the individual what their data is being used for. Recently, CCPA has emphasized the importance of transparency requiring that companies don’t bury important information in excessive legalese. This means providing clear, complete disclosures to individuals when they give you data. All disclosures must be acknowledged affirmatively, meaning individuals must consent to the use of their data, not just told that you are using it.
Data can only be collected for specific and legitimate purposes and can’t be used for another purpose.
This means that companies may only use data in the way they have said they will use it. It can’t be used for anything other than what was originally disclosed to them.
Data must be relevant and limited to whatever the requirements are for which they are processed. Relevant means that companies may not ask for data they don’t need. For example, forms can’t include credit card information if the customer is not being charged. Limited means that if a customer provides information to a company, the information may only be used for one purpose. For example, if a customer provides their driver’s license for travel arrangements a company may not use it subsequently to make an insurance claim without express consent.
Data must be accurate and up-to-date.
This means that when an individual contacts you to request a revision/deletion to their data, it must be processed in under thirty days. Failure to do so can result in a fine if a European citizen reports a company’s failure to comply. Other regulatory bodies may also fine the company so it is wise to follow GDPR standards for all data subjects.
Data must be stored only as long as required and specified in a record retention policy
The length of time that a processor may keep data varies according to the project. For example, if payments are made using bank account numbers that information may need to be kept for up to seven years for audit purposes depending on the requirements of the government taxing authority. Passport information used for booking travel should be deleted once the project is complete.
LAST BUT DEFINITELY NOT LEAST
Data must be secured in an appropriate security solution
This means that the data a company handles must be protected from unauthorized or unlawful processing and accidental damage and destruction. In broad strokes this means your servers/networks, routers, email, team collaboration, and cloud services must all be secure against bad actors. It also means granting access to users only on a need-to-know basis.
Here is a useful checklist designed for controllers but also useful for processors to determine whether or not you are compliant.
In the next blog we’ll look at privacy. Please sign up for our newsletter to be notified of the next blog.
About Cadence Communications & Research:
Cadence Communications & Research is a boutique professional services firm serving the global healthcare industry. Founded in 2008, Cadence Communications & Research offers services in two key interrelated areas: medical communications and market research. Cadence Communications & Research is a certified woman-owned business and has been named to the Inc. 500/5000 fastest growing private companies in America three times. Cadence Communications & Research is a member of Diversity Alliance for Science. For more information, please visit: www.cadencecr.com.