Dryrun and GDPR Explained
The General Data Protection Regulation (GDPR) is an expanded and updated version of the 1995 EU Data Protection Directive (DPD).
Its purpose is to greatly enhance citizen rights over their personal data for every EU citizen by increasing the responsibilities of every organization that collects or processes personal data. The GDPR’s new and expanded provisions support the rights of the individual’s data and add harsher penalties for violations of the new laws.
The GDPR comes into force on May 25th 2018.
This page wasn’t meant to cover the full scope of EU data privacy, GDPR or legalities associated with both as they concern Dryrun, instead we’ve focused on what we think is most relevant to our users and done our best to link you to really high quality source documents.
Under no circumstances may you rely on this web page as legal advice, or as evidence of any particular legal understanding. If you have questions or concerns about Dryrun policies, please contact Dryrun directly via email at email@example.com.
GDPR Foundations and Newly Added Rights
Foundations of the GDPR
- Obtain and process the personal data fairly.
- Keep personal data solely for one or more specific and lawful purposes.
- Process personal data only in ways compatible with the purposes for which it was given to you initially.
- Keep personal data secure.
- Keep personal data accurate and up-to-date.
- Ensure that personal data is relevant to the organization’s need but not excessive.
- Do not retain personal data any longer than is necessary for the specified purpose(s).
- Give individuals a copy of their personal data upon request.
Newly Added Rights
- Alert downstream recipients of deletion requests
- Give individuals a copy of their personal data upon request in a common format, without charge and within 30 days of request
- (Note that organisations may refuse to grant an access request in some cases if the request is deemed unfounded or excessive, but refusal policies and procedures must be clear)
Dryrun’s New Responsibilities Under the GDPR
- Data privacy “by design” is required when developing new systems
- A Data Privacy Impact Assessment (DPIA) must be performed when we use new technologies or existing technologies in risky ways.
- We must consider the potential impact that a project might have on an individual’s privacy so that risk issues can be proactively identified and mitigated prior to the project launch.
- Dryrun must review and amend any privacy notices or statements as well as internal data policies for compliance to GDPR’s requirements.
- If we use third party agencies to collect and process personal data, those contracts must also be amended to comply with the GDPR.
- Customer contracts must be GDPR compliant.
The scope of the GDPR is far more broad than the 1995 DPD. The GDPR will also apply to non-EU businesses who market to people of the EU.
- Dryrun’s GDPR processes should be documented, put into practice and subsequently reviewed on a regular basis.
- Dryrun staff should be trained accordingly.
- Dryrun must take appropriate technical and organisational measures to support and demonstrate compliance.
Penalties for Violations
Businesses that violate data subjects’ rights can incur fines up to €20 million or 4% of their global annual revenue.
Our core team members are working hard to make the necessary changes to Dryrun’s services and policies to ensure that we’re compliant by the May 25, 2018 both for our accounting pros and for our business users.
It’s important to note that companies need to assess their own data collection and storage practices (including how they use Dryrun’s tools) and seek their own legal advice to ensure that they are in compliance with GDPR.
We’re using the following questions to ensure that we take a risk-based approach to protecting user data.
- What personal data do we collect and store?
- Have we obtained personal data fairly?
- Do we have the necessary consents required to collect and store the data in question?
- Were individuals informed of the specific purpose for which we’ll use their data?
- Were we clear about the purpose of data capture and storage in these circumstances?
- Were individuals informed of their right to withdraw consent at any time?
- Are we keeping data only as necessary and is it up-to-date?
- Is data safe using security that is appropriate to the risk?
- Are we limiting access to ensure it is only being used for its intended purpose?
- Are all team members informed to make sure we’re all aware of their obligations under the GDPR?
- Do we have sufficient resources to implement any required changes and processes?
GDPR is an important policy tool that helps restore the balance of power between users and organizations on the internet to something resembling ‘brick and mortar’ ethics. Dryrun looks forward to being a positive part of this trend toward internet good citizenry.