If you’d like to read the blog in Finnish, please click here.

With its implementation nearing, the EU General Data Protection Regulation (GDPR) is attracting interest and provoking discussion. This regulation will come into effect on May 25, 2018. Here are a few tips for our customers to get the big picture and prepare for the future.

1. Familiarize yourself with the core message

   The GDPR regulates how personal information collected from and about private individuals may be used for sales and marketing purposes. The users of the Howspace digital platform are usually employees and are not regarded as private individuals, meaning that no information about them is collected for sales or marketing. Nevertheless, the processing of personal data must also be made transparent on Howspace and must be communicated to everyone.

   Within a few years, we will be able to see the actual effects of the regulation. I believe that a year from now end users will see the GDPR as a simple disclaimer on websites—the same kind of disclaimer that is now provided about cookies.

   Of course, reaching that point will not be simple for all operators. Some will need to implement numerous measures and perhaps even rethink their business model.

2. Update your contract
   

   We will update our contracts with all of our customers, as the Howspace digital platform collects personal information such as email addresses. We will inform all of our affected customers about this. With the updated contract, we will also provide updated instructions, which will be in line with the regulation.

3. Further specify your role

   The impact of the GDPR on your work will depend on your role in collecting and processing information about the users of Howspace. When an employee uses the digital platform in their work, the situation falls under the employer’s right of direction and does not require written consent for the processing of personal data.
   
   In the future, however, the entire processing chain for personal data must be recorded, specifying by whose permission and for what purposes data is collected and used. If a consultant is hired by a company or other organization to facilitate work on the Howspace platform, the chain looks something like this: The consultant is the data processor, who has access to personal data and has been authorized to process the data by the customer, who is the data controller. The consultant gives us access to the data and the right to process the data, which makes us the data sub-processor.

   If the company or organization is our direct customer, we are the data processor under the authorization and on behalf of the customer. The customer is the data controller. 

4. Study the deletion principles

   Based on the GDPR, anyone can request that their personal data will be removed from Howspace. Our digital platform is compliant with the regulation, even in this respect. All users are recognizable on the platform, and the data related to a specific individual is easy to collect on request.

   The removal request is forwarded to the party that is in a contractual relationship with the individual. For example, an employee can request their employer to remove their personal data from Howspace. If the employer finds the removal request to be reasonable, they can forward the request to the consultant. If the consultant deems the request to be justified, they can ask us to remove the data from Howspace.

   In other words, a removal request may be subjected to a multistep review process and may not necessarily be approved. For example, if an employee who participated in a strategy preparation process on Howspace leaves the company and requests that their data be removed, the employer has good reason to reject the request. Rather than always prioritizing the individual’s interests, the GDPR sets clear common rules for procedures in different situations.

The General Data Protection Regulation (GDPR) becomes enforceable starting 25 May, 2018. We have collected a FAQ with background information and examples to help you better understand the GDPR in the context of handling personal data in Howspace.

“