Anders Paulcén, CEO of Compilator, describes below the GDPR, but wishes to be clear that readers themselves must secure their business legally and that the text below is simplified and reflects how he personally interpreted the rules.
GDPR is here – it’s time to adjust.
As of May 25, 2018, the EU’s new data protection regulation (GDPR) comes into force. It will cover all companies that handle and store any personal data. According to GDPR, personal data includes all the information that is linked to a living person, such as names, photos, email addresses, IP addresses, location information, and any vehicle registration number. GDPR also includes all types of processing of personal data, which includes collection, registration and storage of personal data.
If you have decided to read on, I recommend that you pour a cup of coffee because it is a lot to take in!
I have tried to collect all the regulations that apply to the storage and handling of personal data, based on what your employees and customers are entitled to know.
Personal data that you are processing must have legal basis.
In order to process personal data, there must always be support in the Data Protection Ordinance. Legal basis may be a consent before processing a personal data. A ticked box on the website is no longer considered as consent anymore. This is because a tick box prevents such consent from being left voluntarily. An agreement to post a newsletter is also ok if at the same time you will receive advertisements in the mailbox. It is therefore important to be extra clear about what you intend to do with the information you collected.
Right to know.
Your customers and employees are free to know what information you are processing about them, the purpose of the treatment and where the treatment is taking place.
Right to object.
The right to object includes, for example, cancelling a newsletter, the law is particularly clear here. You may also not use personal data that you have processed on an invoice to send mail with offers unless you specifically advised the customer to do just that and have a confirmed consent.
The right to be forgotten.
This rule may be the hardest to handle, as it places very special demands on your business. If you have addresses to customers in your mail program or in an email, they should be deleted if the customer requests this. There is, as I mentioned at the beginning, the concept of legal basis and it may sometimes apply before your customer’s wish to be forgotten. If you have consented to store an invoice with name and address, this is a legal basis. However, after 7 years, you must delete this invoice because the assignment will then have no legal basis. An address on a USB drive can be stored if you have signed an agreement that is renewed on a regular basis. There may therefore be different purposes with your processing of personal data where the storage of invoices is under one, and the contact in your address book is under another.
The right to be notified of data breach.
Should your computer be hacked or if you lose a USB drive that contains personal information, in certain circumstances, affected persons are entitled to be notified in a timely manner.
It can be expensive if you do not follow the law!
Companies that do not comply with GDPR are at risk of fines with up to 4% of the company’s total sales. It’s not just about IT but all the handling of personal data. Payroll, as an example may contain personal information. It is your responsibility to have rules for how to clear them if people quit the company.
Here are some tips on how to follow GDPR
Remember all personal information collected that has no purpose should be deleted. You are responsible for all personal data, regardless of how it is stored. It is your responsibility that your IT system vendors have the right security systems to protect your customers’ data. You must have procedures for removing personal data as well as documenting where and how your data is stored and handled.
Ask yourself the following questions:
- Why do we save the data instead of erasing them?
- Has the customer / individual really given his consent to storage?
- Why do we save the data? For example, you get Do not store shoe size if you can not justify this as necessary for your business and customer.
- What is the purpose of the treatment? Categorise these purposes.
- How long is it justified to store the data? Obtain routines that clear old data.
- If a customer wants to be forgotten how do I act then?
- If a customer wants to know what is stored, what message do I give?
- How do I know that the person who requests the information is really the person it claims to be?
Compilator is ready for GDPR!
Our work with GDPR started this spring with a series of meetings with our lawyers, in order to find out what we need to do to be approved for GDPR. For our customers, this means that they will get a product that meets GDPR, and we will help everyone if need help.
Our solutions will receive special reports that tell customers about where we store what. You can, for example, delete a contact without affecting archived invoices, which can be cleaned separately after 7 years. Our cash register is approved by the Swedish Tax Agency and does not store personal data, which makes the GDPR trip extra smooth. Keep in mind that a registration number on a receipt with an address is a personal data. An image of a vehicle with a visible registration number outside your workshop is also a personal statement.
GDPR will come into force within a few months and will increase security for all of us. My advice to you is to review how you can meet the law already, otherwise the consequences can be painful.