Technology / GDPR – Questions for the boardroom

GDPR – Questions for the boardroom

Who is representing us in Europe?

Organisations outside the EU should double check that they have all the necessary information to fully comply with GDPR.

If you are registered outside the EU and you hold information about its citizens, you should have received official guidelines from the EU itself . But the problem with these recommendations is that they look similar to the ones distributed to EU-located organisations, which means that they may miss crucial points that are relevant only for the foreign controllers and processors.

Article 27 of the GDPR comes to mind, which requires the appointment of an EU-based representative who would be the contact person for local customers and authorities. A US company, for example, has the freedom to choose in which country this representative would work, but bear in mind that Europe is a cultural kaleidoscope with dozens of languages and protocols.

The price tag for non-compliance is €10million or 2 per cent of the company’s global turnover.

Where are you storing your visitor books?

Analogue data doesn’t give you a free pass from GDPR.

The data recorded with old-fashioned ink on paper is also under the jurisdiction of the GDPR. You may shrug your shoulders, but think about the fate of the visitor’s book that greets every entrant at the reception. Names, company names, positions and car registration numbers are all in there, and they need diligent protection and storage as well.

Ask these questions: Where do we store them? Who is going to page through them and contact clients if necessary? What does “right to forget” mean in this case?

The challenge will become even more complex for books run by a facility management company, with a dozen tenants in the same building. Who is the controller and the processor in this scenario?

It is the easiest thing to delete the personal data of a customer. What is the big fuss about the right to be forgotten? 

No, it isn’t. The right to be forgotten does not mean hitting the unsubscribe button at the bottom of a newsletter. Nor is it deleting a name or a phone number from the cells of your database. A data entry will have thousands of references elsewhere in your system too, and you must remove all of these.

For example, an end-user takes thousands of pictures that are puzzle pieces for her portrait . She stores them on multiple cloud drives, and shares them with others on social media. Even a single photo of that user’s children taking their first bike lesson will end up in different databases, so whenever an end-user want to be forgotten – which means anything that has our fingerprint needs to go – the task becomes heavy. You need to track down every detail and delete it.

Originally published in Business Reporter Online: June 2018