What is GDPR?

General Data Protection Regulation, or GDPR, has overhauled how businesses process and handle data. Our need-to-know GDPR guide explains what the changes mean for you , how to stay compliant and what penalties you may face if you fail to comply.

Overview

The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Companies must be able to demonstrate that data is being processed in a transparent way, with the appropriate security measures in place. This includes having the appropriate technical and organizational measures in place to protect data from being accidentally or unlawfully destroyed, lost, altered, disclosed or accessed. Additionally, companies must show that personal data is only collected and used for specified, explicit and legitimate purposes.

Organizations must also appoint a Data Protection Officer (DPO) if they fall under certain criteria, such as performing large scale systematic monitoring of individuals or processing data on a large scale. The purpose of a DPO is to ensure that the company is compliant with GDPR.

By understanding the principles and requirements of GDPR, organizations can protect their customers’ data, build trust and be better prepared to handle any data-related issues. Ultimately, GDPR is designed to give citizens and residents of the EU more control over their personal data and how it is used.

Stricter Privacy Laws

The General Data Protection Regulation became effective May 25, 2018 in order to standardize data privacy laws throughout the European Union and affording individuals stronger rights and protections.

It could be said that GDPR is the world’s strongest set of data protection rules. They not only empower individuals with control over their personal information, but they also place restrictions on what organizations can do with that data. GDPR is comprised of 99 articles.

Many have lauded GDPR as a step forward in how personal data should be handled, noting its similarities to the California Consumer Privacy Act.

Who is affected by the GDPR?

The GDPR is designed to protect personal data. This term refers to information that can be used to identify a living person, directly or indirectly. Personal data refers to information that can identify an individual, which can be something obvious like a person’s name or location. But it can also be something less apparent, such as IP addresses and cookie identifiers.

GDPR not only protects standard categories of personal data, but also special categories of sensitive personal data. This includes information about racial or ethnic origin, political opinions, religious beliefs, membership in trade unions, genetic and biometric data, health information and data related to a person’s sex life or orientation.

The key determining factor of whether something counts as personal data is if it could lead to the identification of an individual. While seemingly anonymous, pseudonymised data can still count as personal data under GDPR.

Integrity and confidentiality (security)

Personal data is vulnerable to unauthorized or unlawful processing, as well as accidental loss, destruction, or damage. In other words, information security protections must be put in place to prevent information from being accessed by hackers or accidentally leaked during a data breach.

While GDPR doesn’t give a step-by-step guide on how to ensure data security, it does state that the level of protection must be relative to the sensitivity of the information being protected. For example, a bank will have to take more precautions than your local dentist. To keep information safe, access controls should be put in place, websites should be encrypted, and pseudonymisation is a good idea.

Accountability

GDPR’s only new principle is accountability, which was created to show that companies are adhering to the other principles set forth by GDPR. Accountability, at its core, means documenting how personal data is handled and what steps are taken to ensure that only authorized individuals can access certain information. Accountability might also involve training staff in data protection measures and regularly evaluating data handling processes.

What are my GDPR rights?

GDPR’s main focus may be on data controllers and processors, but the legislation ultimately protects individuals and their rights. Article 8 of GDPR details eight specific rights individuals are entitled to, including easy access to the data companies hold about them as well as the right for that data to be deleted under certain circumstances.

The full General Data Protection Regulation (GDPR) rights for individuals include: the right to be informed, the right of access, the right to rectification, the right to erasure, the restrict processing right ,the data portability right ,the object right and also rights around automated decision making and profiling.

Access to your data

The General Data Protection Regulation (GDPR) allows individuals to inquire about the data an organization has gathered on them for free. This is known as a Subject Access Request (SAR). No one else can request information on your behalf, but someone else, such as a lawyer, can make the request for you.

SARs can be requested either in writing or verbally – meaning an organization has to determine whether what has been asked for is classed as personal data under GDPR. Although SARs can be sent through social media, most people will send them via email.

Automated processing, erasure and data portability

The GDPR not only strengthens a person’s rights around automated data processing, but also gives them the right to opt out of any decisions that could produce a significant effect on their life.

The regulation empowers individuals to have their data erased in some cases, such as when it’s no longer needed for the reason it was collected, if they withdraw consent, there’s no legitimate interest present, or if processing happened unlawfully.

GDPR breaches and fines

If an organization doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can also be fined.

Smaller GDPR offenses come with a potential fine of €10 million or two percent of your company’s global earnings (whichever is worse). The more serious GDPR breaches have even heftier consequences: fines going up to €20 million or four percent of your firm’s global revenue (again, whichever number is greater).

Data Processors and Data Controllers

We use the terms “Data Processor” and “Data Controller” when discussing personal data.Treffas is a data processor, and our users are the data controllers. This means that we process your client’s data on your behalf and in their best interest. Therefore, you also have control over how we process this information since we can only do so if instructed by you.

Is Treffas compliant?

• If you have been set up with Treffas, then you have implicitly agreed to our terms of data processing.

Location of data

The new General Data Protection Regulation makes it legal to transfer personal data between EU countries, so long as there is an adequate level of security. At Treffas, we understand how important your clients’ data is to you. That’s why we store it securely at an off-site location so you can rest easy knowing that their information is well-protected. Your data will always be covered by the General Data Protection Regulation when stored with us.

Is Treffas compliant?

• Treffas is already set up to store all your data at our secure servers.

What About Consent and Disclosure Requirements?

As a data controller, storing and processing your clients’ data clearly and concisely is vital. The data processing must be contracted or consented to and should have a specific purpose that your client is aware of. They need to know the following:

● What personal data will you register,
● What is the personal data going to be used for
● How long the personal data will be stored,
● Your client must have their information corrected, deleted, or handed over.
● Where your client may turn to avail themselves of their right to rectify, delete, or receive information about the handling of their data,
● At any point, the client may withdraw their consent and how to do so

If you set up clients in Treffas, they will need to agree to this and will be given the information mentioned above. At Treffas, online appointments must always be approved by specific conditions to guarantee consent.

Is Treffas compliant?

• To comply with data regulations, you must get your clients’ consent to store and process their data. You can do this easily with Treffas.

Data Protection Officer

Since the new General Data Protection Regulation was implemented, data processors like us are now required to have a DPO or someone responsible for ensuring that our company meets all of the requirements. A DPO is tasked with advising us on compliance with data protection laws, ensuring our procedures are up to date and monitored correctly, and responding to any queries about the data we process.

Is Treffas compliant?

• Treffas has dealt with this issue by appointing a Data Protection Officer (DPO), who, amongst other duties, deals with any questions from clients about processing their data.

Data Portability

At Treffas, we provide our clients with the ability to export their personal data in a secure format, and we ensure that the transfer of this data is done so in accordance with GDPR standards. We are also available to answer any questions about data portability you may have.

Is Treffas compliant?

• This refers to the ability of a client to move their data from one service provider to another. The General Data Protection Regulation makes it mandatory for us as data processors to comply with the ‘Right of Data Portability’, which means that all clients have the right to transfer their data from our system to another.

The “Right to be Forgotten.”

You can specify a client as “Inactive” or delete the client from your directory altogether. If you want to meet the requirements for the “Right to be Forgotten“, it is critical that you delete the client from your directory.

Is Treffas compliant?

• This refers to a client’s right to delete all of their data from our system. We comply with the General Data Protection Regulation and allow our clients to delete their data from our system completely, thus ensuring that they can exercise this “Right to be forgotten“.

Privacy by design / Privacy by default

At Treffas, we take your data privacy and security seriously. We comply with the General Data Protection Regulation, which includes implementing ‘privacy by design and ‘Privacy by default measures into our system. This means that all of the personal data stored in our system is kept secure and private at all times.

Not only do we encrypt personal data to satisfy various requirements, but if you use other systems, it is your responsibility as the data controller to ensure that they comply with said requirements too. Treffas only transfers data over an encrypted connection if you have linked it to another system. However, you, as the data controller, are responsible for ensuring that the other system(s) you are using comply with GDPR requirements for the storage of personal data.

Is Treffas compliant?

• To meet the requirements of the GDPR, you must assess whether other programs you use to process personal data comply with its regulations. If they don’t, then you need to sign a data processing agreement with your chosen data processors.

Impact assessment

An impact assessment describes the technologies/products you use that handle personal data. It may include, among other things, an evaluation of the risks for your clients concerning being a client with you and what precautions and security measures you take in relation to the storage of personal data.

We can answer any questions about impact assessment or any other GDPR-related concerns. We are committed to helping you meet all the requirements for compliance, so please do not hesitate to contact us.

Is Treffas compliant?

• If you are a data controller, the new General Data Protection Regulation requires that you do a risk assessment.

Notification Duty Regarding Data Breaches

At Treffas, we take data breaches seriously and will always ensure that our clients are informed as soon as possible of any potential risks, and the steps taken to address them. We are also available to answer any questions you may have regarding data breaches.

We understand that data privacy is a responsibility that we take very seriously, so we strive to ensure that our clients feel secure and safe when using our services. If you have additional concerns with regards to the GDPR, please do not hesitate to reach out.

Is Treffas compliant?

• The GDPR requires that we notify the appropriate authorities and affected individuals within 72 hours of a data breach. The notification must include information about what happened, who was affected, and the steps taken or planned to mitigate any further risk.

Documentation that the General Data Protection Regulation is being complied with

At Treffas, we ensure that all of our records are up to date and in accordance with the GDPR. We regularly review our practices to make sure that your data is being handled and stored securely. We also keep evidence of our compliance, such as audits or risk assessments. If you have any questions or concerns about compliance with the GDPR, please do not hesitate to contact us.

Is Treffas compliant?

• Documentation is key to proving that you, as data controller, are compliant with GDPR. This includes having records which show that data has been processed appropriately in the systems you utilize.

SSL security / encrypted communication

If your website doesn’t have the small SSL padlock in the browser, consider changing to a system that does, or contacting your supplier to make sure this is dealt with.

Is Treffas compliant?

• If you control data, it is crucial to understand how to securely send information from a web browser to a system. For example, this occurs when editing journal entries or making appointments. Many appointment-scheduling applications, billing software, and online record-keeping systems lack SSL security features.

Exchange of data between platforms (integrations, apps)

As a data controller, it’s critical that you’re aware of the various platforms you use and how they manage personal information. When using an online system for tasks like inputting records or billing, it’s often possible for the system to share data automatically with other platforms.

At Treffas, all integrations use SSL security to protect your data and prevent it from being “leaked.” This means that you can rest assured that the data is always transferred securely and confidentially

We understand how important it is to keep your client’s data safe, so if you have any questions about integrations or other aspects of GDPR compliance, please do not hesitate to get in touch.

Is Treffas compliant?

• Treffas guarantees secure communication in all integrations by utilizing SSL.