What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy for all individuals within the EU (European Union) and EEA (European Economic Area). It also addresses export of personal data outside of the EU and EEA.
If you are running a business that is processing personal data of the EU residents, then you must accommodate following rights of your users, who are EU residents:
1. Expansion of individual rights, for EU residents, including:
- Right to be forgotten: the right to require your business to delete an individual’s personal data without undue delay
- Right to object: the right to prohibit certain data uses
- Right to rectification: the right to require that incomplete data be completed or that incorrect data be corrected
- Right of access: the right to know what data about the individual is being processed and how
- Right of portability: the right to request that personal data held by your business be transferred to another company
2. Stricter consent requirements: You must obtain consent for the use of personal data. For example, you should use double opt-in to obtain consent from your email newsletter subscribers.
3. Stricter processing requirements: Your users have the right to receive information about the processing of their personal data, including:
- Your business’s contact details
- What data you are collecting and why
- How long you are going to retain data
- What is your legal basis for processing personal data.
You should review the GDPR in its entirety to ensure that you have a full understanding of its requirements.
You should also understand that the GDPR is the most important change in data privacy regulation in 20 years as it will fundamentally reshape the way in which data is processed across every business from social network, search engines, to banking and healthcare.
The GDPR also redefines the roles for senior management in businesses for data protection. For example, Chief Information Officers (CIOs) must ensure that they have well-defined consent management processes in place for users to share their data. Similarly, Chief Marketing Managers (CMOs) must put in place effective data rights management systems to ensure they don’t lose data, which is their most valuable asset.
Since non-compliance to GDPR may result in heavy fines, you have no other choice but to put in place appropriate technical and organisational measures to implement the GDPR principles.
What are the primary goals of the GDPR?
The GDPR regulation aims to give control to individual users over their personal data. It also aims to unifies regulations, and, thus, simplify regulatory environment for internet based businesses with the EU.
The GDPR regulations contains requirements for processing personal data of individuals (called Data Subjects) by businesses (called Data Controller), whose core activities revolve around systematic processing of personal data from EU residents. .
Facebook is a good example of a Data Controller. Based on your personal data and online behavior through status updates, likes and comments, Facebook shows you advertisements. Google is an another example of Data Controller – based on your personal data, search and browsing history, it shows you advertisements. To show you the most relevant advertisements and, hence, charge advertisers the maximum amount that they could, both Facebook and Google process tons of your personal data. GDPR aims to give you, if you reside in the EU, control over how Facebook, Google and other such Data Controllers, process your personal data.
What is the maximum GDPR fine?
Businesses violating GDPR may face a fine of €20 million or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Why should I comply with GPDR regulations?
If you are running a business whose core activities are centred around regularly and systematically collecting personal data of users, you have to ensure that your user data is protected. If your users are EU residents and you fail to comply to GDPR regulations, you may face heavy fines.
Sooner or later other countries may start following GDPR or some similar regulations, given increased awareness and sensitivity towards misuse of personal information. Hence, for the long term success of your business, you have to work towards protecting your user data.
How to comply with GDPR regulations?
You should build your business processes for products and services, that handle personal data, with data protection by design and by default. You may consider putting in place safeguards to protect data such as either encrypting or removing personally identifiable information from data sets, so that people whom data describe remain anonymous.
Data privacy setting on your website or app should be in the highest-privacy mode by default so that data is not available publicly without explicit and informed consent. You should process personal data only after receiving unambiguous affirmations, that is plainly-worded and freely-given, from individual users. You should allow your users to request a copy of data collected by you, allow to revoke their consents anytime and the right to have their data erased under certain circumstances.
On your site or app, you should clearly disclose if you are collecting any data, declare lawful basis and purpose of data processing, state how long you are retaining data and whether you are sharing data with any third party outside the EU.
You should appoint a Data Protection Officer (DPO) to manage compliance with GDPR and report any data breach within 72 hours if they have any adverse effect on user privacy.
Here are some common changes in your business to get your started with the GDPR compliance:
- Migrate to secure connection (https) for your website, which helps foster customer trust.
- Include better-designed opt-out pages, so that users can decline the collection of data if desired.
What is a Data Privacy Notice?
The EU General Data Protection Regulation (GDPR) requires that Data Controllers (businesses, whose core activities revolve around systematic processing of personal data from EU residents) provide certain information to people whose personal data they process and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.
A privacy notice should identify who the Data Controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.
Who is responsible for enforcing GDPR regulation?
A Data Controller i.e. a business with is processing personal data of EU residents, is required to employ a data protection officer (DPO), who is responsible for monitoring internal compliance with the GDPR regulations. DPO should have expert knowledge about data protection laws and practices.
Do I need to comply with GDPR?
You need to comply with GDPR regulations if either of the following criteria applies to you:
- If you are running a business that collects data from EU residents, or
- You process data of EU residents on behalf of some other business (for example, you are offering a cloud service that is being used by an e-commerce website targeted for EU residents).
What constitutes a data breach?
A business, that is processing personal data of EU residents, is legally obliged to notify the supervisory authority of any personal data breach within 72 hours, unless the breach is unlikely to risk the rights and freedoms of the individual users.
Also, if the business, facing data breach with adverse effect, has implemented appropriate technical and organisational protection safeguards that render user’s personal data unintelligible, for example by encrypting data, for any unauthorised person then it doesn’t need to notify individual users. Otherwise, individual users have to be notified.
What is protected by GDPR?
The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas.
The map above shows EU countries. UK is scheduled to quite EU in March 2019. The EEA includes EU countries and also UK, Iceland, Liechtenstein and Norway.
What are the GDPR principles?
Following are the six privacy principles that your business, if it processes personal data of EU residents, need to follow to comply with the GDPR regulation.
#2 Purpose Limitation: You should only collect personal data for a specified and legitimate purpose, explicitly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
#3 Data minimisation: You must only process a minimum amount of personal data that is necessary for you to achieve the purposes for which you are processing data. In other words, don’t collect personal data that you don’t absolutely need. Apart from compliance with GDPR, this will also help you in two ways: (i) in the event of a data breach, the unauthorised individual will only have access to a limited amount of data, and (ii) data minimisation makes it easier to keep data accurate and up to date.
#4 Inaccuracy: The accuracy of personal data is integral to data protection. You must take every reasonable step to erase or rectify data that is inaccurate or incomplete. Your users have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
#5 Storage limitation: You need to delete personal data when it’s no longer necessary. This will depend on the industry you are in and the reasons you are collecting data for. For example, an e-commerce company may argue that it needs to store data as long as possible as a user may come back later to make more purchases. At the same time, if a user is not logging into that site for 12 months, it may be reasonable to assume that the user is not going to come back and, hence, the user’s personal data should be deleted.
#6 Integrity and confidentiality: You should put in place appropriate technical and organisational measures to ensure that personal data is processed securely, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
What is personal data in GDPR?
Personal data is any information related to private, professional or public life of an individual. It includes name, home address, photo, email, phone, bank details, work address, posts on social networking websites and medical information. Under certain circumstances, it also include IP address or mobile device Id, which could be used to identify a person.
What is personally identifiable information?
The GDPR’s definition of personal data means any information relating to an identified or identifiable natural person by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It also includes personal data that is encrypted or hashed and that could be used to identify a person.
GDPR Self-assessment Checklist
If you are running a business which processes personal data of EU residents, you need to comply with GDPR regulations.
You can refer to the self-assessment checklist above prepared by Information Commissioner’s Office, UK that is designed to help you, as a business, assess your high level compliance with data protection legislation. Includes the rights of individuals, handling requests for personal data, consent, data breaches, and data protection impact assessments under the General Data Protection Regulations.
What is GDPR ICO?
Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. As well as carrying out duties in the UK, the ICO also co-operates with international data protection authorities, including the European Commission. Click here to visit ICO website to learn more.
What is a DPO?
Data Controller Officer (DPO) is a person responsible for monitoring internal compliance within an organization with the GDPR regulations. He should have expert knowledge about data protection laws and practices. Any organization that is processing personal data of EU residents is required to employ a DPO.
When did GDPR came into force?
The GDPR was approved by the EU Parliament on 14th April 2016 and became effective from 25th May 2018.
Why protecting customer data is important?
Any information that your business stores digitally needs to be properly protected not only as a legal necessity but also to protect and maintain your business itself.
Without appropriate technical and organisational data protection measures, cybercriminals can hack into your system to steal banking, addresses and contact information of your customers. Such a security breach might be costly to your business. You may lose customers’ trust and, in turn, businesses from them. In addition, customers affected by a security breach can sue your business and demand compensations.
You may also leave yourself open for fines for violating data protection. Under GDPR, there are heavy fines for violations. Businesses violating GDPR may face a fine of €20 million or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Hence, you should upgrade your business model with data protection by design and by default perspective. You would be able to improve customer satisfaction, build trust and even avoid the cost of legal actions.
Is your business GDPR compliant?
Do you want to ensure that your user data collection and processing comply with the GDPR regulations?
Click here to reach-out to us.