18 Jan 7 things you need to know about GDPR before it’s too late
What is GDPR and why you have to comply with it.
WHEN. The General Data Protection Regulation – GDPR – will come into play the 25th May 2018 and you need to start preparing now.
WHAT. GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
GDPR brings a new set of “digital rights” for EU citizens in an age when cyber-attacks and data breaches are dramatically growing and the economic value of personal data is increasing in the digital economy.
If you haven’t already heard about it but your organization has to prepare for the upcoming changes in rules, now is the right time to start.
WHO. The new legislation will be redefining the rights and liabilities of the main actors in data exploitation:
- The data subject is a living individual that can be identified by personal data (customers, employees, etc.).
- On the other hand, the data controller collects the data and decides on how it is processed.
- Finally, the data processor uses the data provided by the data controller for specific purposes (https://blog.wiredelta.com/7-ways-gdpr-will-affect-tech-businesses/).
HOW. The new European regulation affirms the need to guarantee data security through the:
- encryption of personal data;
- ability to ensure permanent confidentiality, integrity, availability and resilience of the processing systems and services;
- ability to restore the availability and access personal data in a timely manner in the event of a physical or technical accident.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject in case of personal data breach shall not be required if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
How GDPR will affect your business.
- This legislation compels organisations who process or hold personal data of EU residents to implement adequate security measures to protect data loss
- GDPR applies to all businesses and organizations established in the EU
- Even non-EU established organizations will be subject to GDPR it they work with information relating EU citizens
- There are tough penalties for those companies who don’t comply with GDPR, with fines of up to €20 million or 4% of annual global revenue
- Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth. It has broad-sweeping implications for the whole organization, including the waycompanies handle marketing and sales activities
What type of sensitive personal data.
Some specific pieces of personal data are more delicate to deal with because of their sensitive nature.
GDPR considers any data that can be used to identify an individual as personal data. It includes things such as:
- genetic data
- biometric data
- physical and mental health records
- cultural, economic and social information
Organisations need to ensure that they use simple language when asking for consent to collect personal data – they need to be clear about how they will use the information.
How to get prepared for GDPR.
- Map your company’s data: where all the personal data in your entire business comes from, what you do with the data, where they reside, who can access it and if there are risks
- Determine what data you need to keep and remove any data that isn’t used
- Put security measures in place: develop and implement safeguards throughout your infrastructure to help contain any data breaches
- Review your documentation because pre-checked boxes and implied consent may not be acceptable anymore. You will have to review all of your privacy statements and disclosures and adjust them if needed
- Establish procedures for handling personal data. Individuals will have 8 basic rights under GDPR
- The right to access to their persona data and to ask how their data is processed, where it is processed and what purpose does it serve by the company after it has been gathered
- The right to be forgotten, if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted
- The right to data portability, to transfer their data from one service provider to another
- The right to be informed before their data is gathered
- The right to have information corrected
- The right to restrict processing, so their record can remain in place, but not be used
- The right to object and stop the processing of their data for direct marketing. There are no exemptions to this rule
- Remember technology and make sure that any new tools you buy/develop is GDPR compliant
- Appoint someone that will be responsible for complying with data protection requirements and keep yourself updated of any new data regulation
Data is a valuable currency in our world, and while GDPR does create challenges and pain for all businesses, it also creates opportunity.
Companies who show they value individual’s privacy, who are transparent about how they used the data, who design and implement new ways of managing customer data will build trust and retain more loyal customers.