If your IT firm offers goods and/or services to citizens in the European Union (EU) or if you collect personal data on any citizen of the EU, then it’s subject to the General Data Protection Regulation (GDPR). Many people might think the GDPR is just an IT issue, but it has broad implications for entire organizations, in particular how companies handle marketing and sales activities.
One of the centerpieces of GDPR is Article 5 and how sensitive personal data is obtained and stored. Your IT firm should be aware of this rule to ensure compliance.
What is considered sensitive personal data?
The GDPR refers to sensitive personal data as "special categories of personal data which uniquely identify a person." This includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Health or sex life
- Unique identifiers of a person, including biometric or genetic data
Are there any specific rules businesses should be following in order to ensure compliance?
Article 5 of the EU GDPR states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
Should I appoint a Data Protection Officer (DPO)?
It is not necessary for all organizations to appoint a DPO, and it is dependent upon a number of factors, such as does your IT firm carry out large-scale systematic monitoring of individuals, such as online behavior tracking; or do you carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.
What are the penalties if my IT firm is not GDPR compliant?
The GDPR is the EU’s way of giving individuals, prospects, customers, contractors and employees more power over their data and less power to the organizations that collect and use such data for monetary gain.
While the penalty system is not a blanket approach, there are tough consequences for those companies and organizations that don’t comply with GDPR, including fines of up to 4 percent of annual global revenue or 20 million Euros, whichever is greater. Additionally, various penalties such as warnings and audits can be issued for different infringements.
To avoid this, if your IT firm experiences a personal data breach, you should notify the proper authorities within 72 hours to avoid GDPR fines and penalties.
Be in the Know With ASB Resources
As your recruitment partner, we make it part of our ongoing mission to keep you informed on policies and trends that can affect how you conduct your business. Reach out to ASB Resources with questions or for your upcoming IT recruiting needs.