General Data Protection Regulation GDPR Part II

3 Mins read

The article below is important for every small business including the Sales and Marketing team who generate leads and close the deals.

Three weeks ago, the Securetain team received a call from the client that the company has signed a contract with the US-based new client to migrate corporate email on-prem to a new provider in the cloud. Along with the signed contract they received a five pages detailed questionnaire on the handling of private information. The small organizations doing business particularly in the US do not much speak about GDPR because they do not process any privacy data covered by the rules of GDPR. As it turns out the end client not only had an international presence but also had a Data Privacy Officer in Europe. Here is what everyone having small business needs to prepare for if you are having clients with an international presence.

Many of you read or heard about the EU Data Protection Act 1998. Prior to the EU Data Protection Act, various countries in Europe had some form of data protection act that protected data privacy. Similar rules are present in other countries in Asia too.

The significant changes in GDPR are related to the design which has the objective of providing rights as well as giving control to the personal data owner on deciding how the third party could use his/her personal information. Hence the rules are designed to ensure the data owner decides whether the third party can process his personal information, make changes, stop the use of information, etc. and have right to receive the information requested, obtain his consent, restrict processing,  provide visibility on the processing of information, etc. The challenge is for the companies to implement the rules and techniques that will allow them to comply with the rules (please refer to Exhibit A below) of providing information in a timely manner, obtaining and documenting consent, etc. Once you understand the objective, Exhibit A will make sense.

Securetain advisor performed an assessment of the client’s GDPR readiness in three days and submitted a report on the fifth day providing gap analysis and suggested remedial actions. If your team is spending more than three days deciding on what to do, the problem is not about addressing GDPR but probably addressing the information security as well as a data privacy issue. Please, note the objective is to gain an understanding of what we need to do. It will be great for every small business having international clients or wish to work with international clients, perform some quick study on GDPR and educate the Sales and Marketing team. The sales team also needs to know about cold emailing, calling, etc. Securetain ( team will cover this in the next post.

Exhibit A – GDPR Rules

* Below is the summary of rules and will request you to read about processors vs controllers.

Scope, timetable and new concepts
Material and territorial scope
New and significantly changed concepts
Data transfers
Transfers of personal data
Lawfulness, fairness, and transparency
Data protection principles
Lawfulness bases for processing and further processing personal data Legitimate interests
Consent to process children’s personal data
Sensitive data and lawful processing  
Appointment of supervisory authorities
Competence, tasks, and powers
Co-operation and consistency between supervisory authorities
European Data Protection Board
Individual rights
Right to be informed
Subject access, rectification, and portability
Rights to object
Right to rectification and data quality
Right to erasure including retention and disposal
Right to restriction of processing
Rights related to automated decision-making including profiling
Special cases
Derogations and special conditions
Accountability, security, and breach notification
Data governance obligation
Data processor contracts
Data Protection
Personal data breaches and notification Codes of conduct and certifications
Delegated acts and implementing the act
Delegated acts, implementing acts and final provisions
Data Privacy Officer

RELATED POST :How Do I Leverage My GDPR Preparation for CCPA? Part III 

How Do I Leverage My GDPR Preparation for CCPA? Part IV

How Do I Leverage My GDPR Preparation for CCPA? Part V

How Do I Leverage My GDPR Preparation for CCPA? Part VI

Related posts

Everything You Need to Know About DoD CMMC – CMMC Introduction

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft…

How Do I Leverage My GDPR Preparation for CCPA? Part III

4 Mins read
The GDPR team has new challenges with the California Consumer Privacy Act (CCPA) compliance and many more to come from other states….

How Do I Leverage My GDPR Preparation for CCPA? Part IV

3 Mins read
Continued from the part III – The CCPA requires all businesses with customers in California to disclose personal information they store,…

Leave a Reply

Your email address will not be published. Required fields are marked *