What do I need to consider now as a CTO?

In my first GDPR article, I listed the eight rights individuals have over how their personal data is used under GDPR. I will detail these further in my next article, but here I will answer some of the questions you should consider now in relation to those rights:

If we do not use personal data to contact or profile customers, does the GDPR apply to us?

Yes—personal data is a broad definition that will become even broader under GDPR. The regulation defines personal data as “any information relating to an identified or identifiable natural person/individual”.

Some examples of personal data that may identify you include: human resource personnel records, CCTV images, social media accounts, website and newsletter registrations, access control systems such as cardkey systems into your office, gym membership details, an IP address, and location services on your cell phone.

Who is responsible for ensuring that we work within the General Data Protection Regulation?

Company-wide data controllers and processors are ultimately responsible, but it’s our own responsibility to work in manner that facilitates compliance. Additionally, a data protection officer must be designated in certain circumstances.

A controller is defined as an entity that, alone or jointly with others, determines how and why personal data is processed.

This role is similar to a data controller as we know it under the existing EU Data Protection Directives, but the scope of what it controls has expanded under GDPR. In addition, processors now have responsibilities, too, although legally the controller has ultimate responsibility to ensure processors follow the rules.

A processor is defined as any person who processes data on behalf of the data controller (apart from a person directly employed by the controller). Examples include third-party companies, such as marketing firms and cloud hosting companies.

A data protection officer (DPO) may need to be designated or employed by the company and will be seen as the leading authority on GDPR compliance within the organization. Briefly, a DPO is required when processing of data is carried out by a public authority or body, or where data is processed in a regular and systematic method on a large scale, or when large scale processing of specialized data such as criminal convictions Is undertaken.

I am employed by a company based outside the EU and my HR records and payroll are all processed from the parent company. Do they still need to comply with GDPR?

In all probability, yes. If a controller or processor is not established in the EU but offers services or sells goods in the EU or processes data that identifies individuals in the EU, it will need to be compliant. It is the responsibility of the data controller to ensure they comply.

So, what do I do next?

Stay tuned for my next article, which will give you the top 10 steps to get started with GDPR.

I will break it down into manageable, practical steps that you can plan for now and be ready for May 2018.  

I will also share some of our solutions you can use to prepare for GDPR. The regulation’s heavy fines are a serious matter, but we can help you take a proactive approach to GDPR and reduce the worry.