I have listed significant individual rights under the GDPR that impacts our and most likely your business.

Almost everyone is today aware of the GDPR (the new Data regulation) which will replace the 1995 Data Protection Directive (95/46/EC).

It happens from May 2018 and I found 3 things which I regard as key elements at least for us: 

1) The new law stresses the right for individual's
People = Your employees, customer’s etc should "have control" over their personal data in all IT systems which also means your IT systems. This rule applies also to all social media and e-commerce sites etc. 

This means, the way you handle your data must be transparent so the individual. They should be able to understand what you save in your systems about them. As example, if you need to retain your customer’s address as reference for future deliveries, you should be able and willing to inform him/her about the saved information.

This can be solved by as example:

a) With a log-in where the customer can update his/hers data and export it in the EU standardised format.

b) Or, much simpler, by a manual process. Your company makes a data extract and sends the information saved in your system about the individual, upon his/her request.

The data should be sent digital = e-mail attachment and in a standardised format. The data should also be sent on paper if this is requested. You need to be be prepared and willing to change the data, upon his/her request for correction.

OBS! The new standardised and digital data exchange format which has to implemented allows the individual  to transfer their data to another provider. EU is striving for data portability to create technological neutrality and open for competition.

 

 

2) The individual has "the right to be forgotten"
= The right to become all data erased out of your companies systems.

This means, an individual has any time the right to get his/her data deleted from your companies data systems.

But, you are allowed to save the data you can prove that you need. As example, for a former employee the data can not be "totally deleted" if he/she is to be part of governmental reporting or pension payments or similar.

As I understand this part of the rule, as example Google has a tricky situation. They need to block search results upon the request of a person. This could influence also your company if it like Google shows data which is not in the control of your company.

 

 

3) There has to be a contact person for the individual.

You have to provide the name of a data protection responsible person who the individual can contact and who is responsible of execution of point 1 and 2 for him/her

And, for your information. The European rules are said to apply regardless of where your server is physically located, or whether you are a non-European business.

 

But, that's it as far as I'm aware. Still, this can be very complicated to fulfill especially for large companies. 

Regards EM Fahrer

  Eva-Maria Fahrer, Adfahrer SBN, SDK, ADSIG
     
     

skrivet av Eva-Maria Fahrer on 2017-06-22 06:01
Sverige (Huvudkontor)

Adfahrer AB
Postbox 131
182 12 Danderyd
Sverige
E-post: info@adfahrer.com

Norge

Adfahrer AB
Postbox 111
0212 Skøyen, Oslo
Norge
E-post: info@adfahrer.com


Kontakt | Imprint
© Adfahrer AB 2017