In the days, weeks, leading up to the effective date of GDPR, we all received a plethora of revised Privacy Policies, as well as a handful of reconfirmation of email opt-ins. Surprisingly, many people in significant size U.S. organizations seem to think that these actions alone will make them GDPR compliant.
Has anyone else experienced this reaction?
Accordingly to the definition of processing in article 4 of GDPR ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
To say it shortly - if you have the personal data - you process it accordingly to the definition of processing.
What are the consequences of this definition?
It means that you have to comply with different aspects of GDPR like security, notice provided to the data subject and having a legal basis for the processing.
If you plan to use external supplier to process the personal data you have to sign a Data Processing Agreement accordingly to the article 28 of GDPR.
Contributed by my dear friend Piotr Siemieniak based upon typical 'real life' responses in training sessions. See https://upsecure.pl/
