Any organization that processes personal information about EU citizens must have systems in place to comply GDPR laws, and prove their compliance with documentation. Even now, many companies are not in full compliance, and this is a major risk as non-compliance can cost organizations up to 20M Euro in fines or 4% of the total annual turnover of the preceding financial year.
The GDPR is a complex regulation put in place to protect personal data of individual customers. With the heavy and only growing usage of social media and enterprise collaboration networks by companies around the world, several GDPR laws have been put in place to help protect personal information living within these platforms.
The following unique issues are of important exploration when determining steps towards GDPR compliance in regard to social media and enterprise collaboration networks like Yammer, Workplace by Facebook, Chatter and more:
- Data Protection and Privacy: The need to implement policy statements on websites and social media that address the intention of collecting data before doing so.
- Employee Rights on Social Media: The importance of reviewing workplace social media policies to ensure they do not conflict with other privacy laws.
- Governance and Oversight: The need to develop strong internal procedures and controls to ensure social media risks are managed effectively when using social media.
- Information Archiving and Retention: The requirements to implement a record-keeping systems that effectively captures social media history and saves it as official, valid archives.
The GDPR and Privacy Rights
Under the General Data Protection Regulation, individuals have the following rights:
1. The Right to be Informed
Individuals will have the right to know when and where their data might be used when it is collected. Organizations must request consent before gathering data for a specific purpose. ‘Opt-in’ will replace the existing ‘opt-out’ rules when it comes to receiving any marketing communications.
2. The Right of Access
Individuals can request access to their personal data and have the right to understand how an organization uses it after they have it. Organizations must turn around free copies of their data if requested.
3. Right to Rectification
Individuals can require any errors in personal data to be corrected. Organizations must reply to the request to correct errors within a month.
4. The Right to Erasure
Individuals will have the right to withdraw consent for organizations to keep and use personal information at any time, and have that information erased.
5. Right to Restrict Processing
Individuals will have the right to block and suppress processing of their personal data. If suppressed, organizations can still store personal data but cannot use it in any way.
6. Right to Data Portability
Individuals will have the right to transfer their data from one service provider to another. This demands the current provider to comply with such a request.
7. The Right to Object
Individuals will have the right to object to organizations using and processing their personal data - whether in direct marketing, profiling, processing for scientific or historical research, inclusion in statistical research, or other purposes. If an individual objects, all data processing must be halted right away.
8. Rights Related to Automated Decision Making and Profiling
Individuals have the right to be protected against the risk that a potentially damaging decision is taken automatically, without human intervention.
Pagefreezer’s free white paper sheds additional light on this topic, specifically looking at the implications of GDPR, as well as the 12 steps you need to take in order to comply with the regulation.