4 easy questions to check if you are fully GDPR compliant
In today’s data-driven world, people are increasingly concerned about possible data breaches and the theft of important information. In order to protect its citizens, the EU Parliament adopted the General Data Protection Regulation (GDPR), which came into force on 25 May 2018. In this article, we are going to look at the key elements of the GDPR and offer you a simple checklist to see if you are fully compliant.
Basic idea of GDPR
The idea behind the GDPR is quite simple: it is meant to give EU citizens the right to know and decide how their personal data is being collected, stored, processed, protected and deleted. Simple as it may sound, the regulation sets a very high standard and many companies find themselves struggling trying to comprehend its requirements and put all the necessary systems and processes in place.
However, non-compliance may result in hefty fines (up to 4% of annual global turnover), high legal costs and significant reputational damage. Therefore, we believe it is high time we all understood what the GDPR entails and took the steps to ensure compliance.
Who is affected?
If you are wondering whether you are affected at all, then the answer is probably yes. Regardless of where your company is based, the regulation affects you if you supply goods or offer services to EU citizens or companies.
Key elements of the GDPR
First of all, let’s examine the main elements of the GDPR in more detail.
1. Personal data
Personal data is any information relating to an identifiable person, which can be used to directly or indirectly identify this person. It includes name, surname, address, email address, phone number, Social Security number, IP address, medical and biometric data, etc.
The conditions for consent have also been strengthened. According to Article 4(11), consent should be “freely given, specific, informed and unambiguous”. In other words, your request for consent should be easily accessible, intelligible and state the purpose of collecting data in plain language. It must also be as easy to withdraw as it is to give. For more information, see Be GDPR compliant: everything you need to know about getting consent in Jira and Confluence
It means that personal data must be obscured or anonymized so that it cannot be traced back to a person without additional information.
4. Right to be informed
Data subjects have the right to be informed that their personal data is being collected and processed. You must also provide privacy information to the data subject at the time you collect their data (for the full text, see Article 13).
5. Right to access
It means that data subjects can obtain information as to whether or not their personal data is being processed, the purposes of the processing, the period for which the data will be stored, the recipients to whom that data has or will be disclosed, etc. (for the full text, see Article 15).
6. Right to be forgotten
It entitles the data subject to have the data controller erase their personal data without undue delay (for the full text, see Article 17). Now, this rule might be tricky to implement – on the one hand, you have to erase all the personal data completely, on the other hand, you don’t want to run the risk of losing valuable data which may be associated with the user, as data subjects are not just your customers, but also your employees. With our solution, you can use simple JQL queries to anonymize personal data across Jira and Confluence without having to delete important information.
7. Breach notifications.
Breach notifications are now mandatory. It means that you must report all breaches to data subjects and supervisory authorities within 72 hours of becoming aware of the breach (for the full text, see Articles 33 and 34).
It is getting serious
Ensuring compliance may be challenging, especially for smaller companies which might not have sufficient resources or expertise to handle all the requirements. In fact, many research reports show that a lot of companies are still not fully compliant. However, the stakes are getting high.
We all remember the high-profile case of Google, an American technology giant, which was fined 50 million EUR at the beginning of 2019 for not properly disclosing to its users how their personal data is collected and stored across its services.
Later this year British Airlines were fined a record £183.39 million (1.5% of the company’s total revenue for 2018) following the data breach that took place the previous year. British Airlines were accused of poor security arrangements, which led to the leak of sensitive personal data, including credit card details and personal addresses, of hundreds of customers.
Österreichische Post AG
More recently, Österreichische Post AG, an Austrian post company, had to pay 18 million EUR for creating and selling a register containing personal data of millions of Austrian customers.
Deutsche Wohnen SE
Deutsche Wohnen SE, a German real estate company, are also being fined for failing to provide an archiving solution that would allow for the erasure of the data that was no longer necessary. The imposed fine amounts to 14.5 million EUR, which constitutes 2% of the company’s annual turnover).
As you see, the new legislation is going to affect everyone. Of course, you can have your fingers crossed and hope that your company will never be checked (which, we believe, is wishful thinking), or you can have your back covered with a useful tool for Jira and Confluence. See how it works in our YouTube video.
Check yourself – 4 GDPR-questions
If you are not sure of your regulatory compliance status, you can check it by answering the simple questions below:
- Do you know what personal data you have and how and where it is stored?
- Do you manage the process of getting consent from data subjects in a proper way?
- Can you prove how personal data is stored and used and for what purpose?
- Have you set up appropriate processes to manage breach notifications, the right to be forgotten, the right to access, etc?
If you answered “No” or “Not sure” to any of the questions, you might actually be in trouble.
Many companies unknowingly overlook some aspects and think they have all the pieces in place — until a regulator comes knocking on the door or an unhappy customer complains whereupon the company discovers that its data protection system isn’t as robust as it was thought to be. Sounds daunting? We know exactly how you feel – after all, our company is also affected by the GDPR. That is why we have put together a team of our best professionals to develop a solution that will cover all your GDPR compliance needs. Keep ahead of the requirements and become fully compliant now in a swift and easy way with our solutions for Jira GDPR (DSGVO) and Security for Jira and Confluence GDPR (DSGVO) and Security for Confluence.
For more information on GDPR compliance, check out more articles in this series:
- 7 popular myths about GDPR
- Be GDPR compliant, Part 1: everything you need to know about getting consent in Jira and Confluence
- Be GDPR compliant, Part 2: ensure the right to erasure, find and anonymize PII in Jira
- New model of calculating GDPR fines is to increase possible penalties