Since May 25th, 2018, all companies and professionals must comply with GDPR, or General Data Protection Regulation, to protect the personal data and privacy of EU citizens. Any company or professional who does not comply with GDPR exposes itself to costly sanctions, from warnings to high fines. Therefore, all companies (including SMEs) and professionals must implement appropriate systems and processes in order to comply with customer data protection laws.
Under GDPR, the following types of personal data are protected: basic personal data (such as name, address, ID number), web data (IP address, location, cookie data, etc.), health and biometric-related data, racial or ethnic data, political opinions and sexual orientation.
The GDPR rules do not apply to data which is processed for purely personal purposes or activities done within the domestic environment. Nevertheless, this data must not be related to any commercial or professional activity.
The legislation does not only apply to companies and professionals within EU member states. It also affects any company that does not have a business presence in EU states, but whose transactions imply the storage or processing of personal data about EU citizens within EU states.
Consequently, even professional translators, interpreters, proof-readers, etc. must be compliant with the General Data Protection Regulation requirements when working with companies, as they process documents and information containing the company’s private data.
However, companies and professionals must also remember to comply with confidentiality agreements (NDA, Non-Disclosure Agreement). Indeed, GDPR aims to protect private data, while an NDA avoids the disclosure of information that belongs to direct and indirect clients. These agreements are complementary and must be included in each company’s addendum in order to guarantee total confidentiality and GDPR compliance.
Your GDPR FAQ
1/ Question: Have I all the necessary documentation to show my customer how I collect, store and process any personal data in a concise and simple way?
1/ Answer: Any data collection has to be accompanied with an information notice containing all the information requested by article 13. One of the new requirements for all of us is the need of using a simple and clear language.
2/ Question: Have I organized my professional activities in a way that I only collect and/or process personal data that are strictly necessary for my work and for the enforcement of the agreement I have with the Company?
2/ Answer: The general principles to adopt are exposed in articles 5 and 11.
To be noticed that the principle of the principle of data minimization means that: only relevant data for the enforcement of the agreement.Collecting or processing data beyond the enforcement of the agreement is considered abusive treatment.
3/ Question: Have I organized the conservation of documents relating to the various services in order they are always accessible but only to authorized personnel?
3/ Answer: Here the general needs for the availability and confidentiality of databases are combined. Their concrete translation is an orderly management of data and information - that is, paper files and digital folders - which keep their contents protected from prying eyes or from access by strangers, but which at the same time allows the owner to manage efficiently the activities
4/ Question: If applicable (I’m an agency or an associated study), have I appointed and properly trained my collaborators and have I also formalized the relationships with the professionals to whom I address for the management and development of the activities of the study?
4/ Answer: The entire 'privacy' organization chart of the firm must be involved in the data protection policy. It is an extensive organization chart, which includes the persons in charge (collaborators, practitioners, employees) but also those responsible for the treatments, ie external professionals who collaborate with the firm in various capacities (lawyers of other forums, accountant, job consultant, etc. ). Note that an appointment is required for the persons in charge, (Article 29)
5/ Question: Are my PCs protected from external threats? Do I have, in case of need, the name of a trusted IT technician to ask for the solution of specific problems?
5/ Answer: The reference is to the implementation of adequate software to prevent attacks or threats of various kinds and origins. In this sense it may be wise to rely on the expertise and experience of a professional.
6/ Question: Are portable PCs and other removable IT tools used in activities outside my workplace in order to minimize the risks of accidental loss, fraudulent subtraction and similar?
6/ Answer: The clear example is in the use of the USB pen: on top of a mandatory password protection of the pen, it is necessary to load / leave in the pen only the data that must be processed during the external session.
7/ Question: Do I perform a full backup of all data on a PC at least once a week?
7/ Answer: This operation is really fundamental for the data protection. In relation to the intensity of daily changes, it is recommended a higher frequency than the minimum one.
8/ Question: Have I defined a retention time for personal data in line with the purposes of the treatments?
8/ Answer: Even the professional is required, as any holder, to define the period of data storage (which cannot be stored ad libitum) and, moreover (new to the regulation), to make a special mention in the information notice (alternatively to the period of conservation will be sufficient to indicate the criteria used to determine it).
9/ Question: When I have to dispose of PCs, notebooks and other devices used for my professional activity, make I sure that there is no residual risk of exposing personal data during disposal?
9/ Answer: The so called 'electronic trash', when not managed, is unfortunate source of information to the detriment of the data subjects and with risks for the same data controller (see definition of data controller in the Regulation). It is a duty to refer to the provisions of the Regulation on this matter.
10/ Question: Have I taken the necessary measures for the physical security of my workplace, in the sense of taking measures or precautions reasonably to prevent unwanted access and actions that could affect negatively the confidentiality, availability or integrity of databases?
10/ Answer: The problem is always the safety of the processing. This time, however, it is assessed through the examination of the premises / physical places in which the activities of the professional are carried out. The "adequate" protection measures can vary according to the context (for example, a study located in a room inside a real estate unit where there are other professionals, study located on the ground floor of a condominium, etc