In few words, GDPR is a set of new rules that will control the export of personal data of EU citizens outside the European Union. It comes into force starting May 25th, 2018 and will have a transformative effect on how digital and social media business capture, store and use personal data of users, especially users from the European Union.
There has been never been a time in history before when personal privacy and data security has been at peril. Individual users grant so much liberty to their digital service providers to use their real-time data. Such data collected by enterprises is often used for two primary goals –
- To drive more engagement through personalized services, or in worst cases as shown by recent controversies
- To be sold to third-party vendors for business gains.
Security breaches that leak private customer data on a large scale have also been recurring for the past few years. It is these instances that have led to the introduction of stringent data protection protocols like GDPR. GDPR stands for General Data Protection Regulation. Its primary motive is to harmonize the existing data protection statutes in the European Union. It is also improvised to introduce several new norms that will make up for the shortcomings of its predecessors – namely, the Data Protection Directive.
GDPR will not only expand the reach of the data protection laws in the EU but will also ensure that such laws are applied uniformly in all countries under the EU. From May 25th, 2018 every enterprise that is collecting or handling EU citizen data will have to ensure compliance with GDPR. In fact, it also applies to a certain type of agencies or vendors that handle such data on behalf of enterprises.
The aftermath of non-compliance: a hefty fine amounting to 4% of global turnover or €20 Million, whichever is higher (gdpreu.org).
Primary Motives of the GDPR
The primary motives of the GDPR are:
- Ensure uniform compliance across EU
- Ramp up laws to modern-day technologies
- Make compliance less onerous for enterprises
Ensure uniform compliance across EU
The primary motives of the GDPR are to ensure that the data protection rules are complied with in the same manner across the EU. Secondly, the current laws need a revival to make them more relevant and abreast with the cloud-driven, freemium-based and often free digital services. Think Facebook, Google, Twitter, etc. Thirdly, it will also make the compliance process less onerous for enterprises.
Ramp up laws to modern-day technologies
The predecessors to the GDPR, like The Data Protection Act 1998 and the EU’s Data Protection Directive 1995 have become obsolete in the days of cloud-driven business models, social media, mobile apps, eCommerce and digital economies. There is a pressing need for a modern data protection law that is crafted for the mobile era. And, thus came the GDPR.
Make compliance less onerous for enterprises
By bringing all data protection compliance requirements under one roof, GDPR will make it less taxing for enterprises to ensure compliance. It will drastically bring down instances of genuine non-compliances as a result of too many statutes.
Key Compliances Required by the GDPR
The key compliances are required by the GDPR are summarized as below:
The data collected from users, consisting of cookies, user information, location, or even biometric information, fingerprints, retina scans, genetic data and so on must be documented. The documented records should be presented for scrutiny on demand.
Legal Basis for data collection
The data collection must have a legal basis, like to fulfill the contract between the user and the enterprise. There should also be explicit consent from the user for data collection.
Rights of Data Subjects (Users)
Users must be provided with the right to revoke or restrict data processing. A right to erasure, that is a complete deletion of data collected until now must also be provided.
The business (or controllers as referred to in GDPR) must ensure the security of the user data through encryption or with similar mechanisms.
Notification of Breaches
In the event of a security breach that risks the user data and their rights associated with it, the controller must notify the authorities within 72 hours.
Privacy by design
Businesses must ensure that privacy is considered as a core element right from the initial design and development stages of the software product or service.
Third-party Data Management
Organizations that outsource their data to vendors or third-party agencies for analysis or for other business purposes must ensure that the same vendors are also adhering to GDPR. GDPR is applicable to such vendors as is applicable to their principals irrespective of their entity statuses.
Are you on the right side of Law?
For a layman, GDPR might seem like a complicated legal maze. There are too many jargons used and conditions applied that makes it little difficult to understand and implement. But, that should not deter your business from GDPR compliance. Here are 5 simple areas where you can ensure compliance to be on the right side of the law.
- Ensure explicit user consent
If you are collecting any kind of information from users like their name, location, browser cookies, contact, etc. ensure that it is collected and recorded with their explicit consent.
- Ensure compliance with employee data too
Even employees fall into the category of ‘data subjects’ as specified by GDPR. So make sure you give the same importance to employee data as much as user data.
- Be prepared for breach responses
Ensure you have a system in place to react and take actions in the event of a security breach. This would help comply with the 72-hour deadline within which authorities are to be notified.
- Check if you need a Data Protection Officer
If you are a public authority or are monitoring user data and carry out large-scale data processing, then GDPR lays down that your organization needs a Data Protection Officer.
In A Nutshell
GDPR has become applicable from May 25th, 2018 onwards. You don’t have any time left to ensure compliance with the regulation. The time is NOW to start acting and put your data activities on the right side of GDPR. even if you cannot ensure complete compliance, it is possible to compliance on the critical areas, some of which we have covered above.