GDPR, General Data Protection Regulation
What is considered as bad practice as a data controller or data processor?
The regulation defines important criteria for classifying the companies as data controllers and data processors. For example, it is important for payroll providers, to comply with the requirements in both roles: an employer as a data controller, and as a data processor on behalf of the clients. Here are some examples of what can be considered as a bad practice: the transfer of personal data without adequate protection; storage or use of the data for marketing purposes after the request to delete the person’s data; to store email addresses beyond the specified time, leaving personal data unattended (on the screen or on the desk).
What should we do if we have not yet started preparing for the regulation?
Since the deadline is getting closer, we can almost be sure that external support will be needed. It is especially important to identify where personal data can be generated within your organization. On the other hand, attention should be paid to the complexity of the regulation, because the regulation refers to the data contained in paper-based documents, internal systems, databases and emails as well. It is also worth assessing where the business is and what security systems we have. Additionally, we need to create a standardized package that includes work contract-related additional materials, security and data security descriptions, and IT questions that describe how we will pass, store, and manage our data. Finally, do not hesitate to ask for help from accounting or payroll providers.
What are the rights of individuals in GDPR?
The regulation has been subject to several analysis, but it is also worth examining the rights of employees. We collected a few examples (not-exhaustive) of what rights an individual has.
- The right to be informed – “I want to know what data is stored about me and what it is used for.”
- The right to Rectification – “I want to improve my incorrect data.”
- The right to Delete (forgetting) – “I would like my data to be deleted.”
- The right to Object – “I do not want to receive newsletters and promotions.”
“Our aim is to comply with the law in every aspect, since we are a BPO provider, and we are responsible for our partners, as a data controller and as a data processor as well. Failure to comply with this regulation seems practically inevitable, because very precise conditions have been set, with strict deadlines. However, it is important to mention that companies need to demonstrate that they comply with GDPR regulations the best they can. This is also our job, because there may be requirements that may exceed the costs or other possibilities and resources of a given company. This is also respected by the regulation, so everybody has to build up the new data security system in accordance with their own circumstances.”
János Babos (Partner, Managing director)