General Data Protection Regulation is a law which governs how businesses use data of EU citizens.
On April 27, 2016, the European Union parliament passed a law that would regulate how we use data. Not just any data but of any EU citizens residing anywhere in the world.
The law which is referred to as General Data Protection Regulation seeks to give back power to the citizens on how companies use their personal data.
GDPR is an improvement of Data Protection Directive which was put up back in 1995 in EU.
Let’s admit this, the internet has become an integral part of our lives.
We are able to connect, work, make payments, and even exchange information with anyone in the world. But with such freedom there’s no responsibility.
Back in the 90s, the internet was not as vast as it is today and hence much needs to be done to protect civilians personal information. And the European Union has led the way to protect consumers.
For the past few days, the story of Cambridge Analytica has rocked mainstream media. Facebook has been on the receiving end of the scandal. The hashtag #deletefacebook was also trending on Twitter, but the waters seem to have cooled down after Zuckerberg testified in the US Congress. Data privacy is becoming an issue with the rise of the internet and accessibility to affordable smartphones all over the world.
Currently, if you have personal data of any EU citizen, you can use it however you want to. Heck, you can even sell such info. You will only get in trouble if your act is discovered. But things are going to change as from May 25, 2018
What constitutes personal data under General Data Protection Regulation?
Businesses are required to protect customer’s personal information such as social security number, name, and address. But now under GDPR, the list is much longer. See examples below:
- IP address and cookies
- Medical information
- Personal preferences like sex and political opinions
- Bio-metric info such as fingerprint, iris and face recognition
More so, customers will have rights under GDPR. First businesses will have to provide clear and concise forms that outline what kind of data they need from consumers and for what purposes. These forms should be easy to understand and not hidden under long pages of content or unnecessary words.
Let’s just agree on one theory that is yet to be proven. Nobody rarely reads Terms and Conditions of a product or service on the web unless they are lawyers or have been a victim of ‘not reading.’
The content on T&C on web pages is usually long and full of tedious agreements that nobody has time for. But now businesses will have to do better than boring. You will need to craft pieces on your T&C web pages that clearly outline your intention on how you are going to use a customer’s data.
What is interesting to note is that if a subject request that his/her data to be deleted then you should have the ability and means to do so as a business. The common phrase of “the customer is always right” will now be a reality for businesses affected by GDPR.
Also, if at any point data of consumers is compromised, you should inform the subjects within 72 hours of the breach.
Clearly, the critical focus of the GDPR is transparency and allowing consumers to have more say in how their data is processed, shared and stored by companies.
How to know if you are affected
- If your business is located in the EU
- Not located in the EU but your business process personal information of EU citizens
That basically means anyone conducting business in EU should comply with GDPR.
What happens if you do not comply with the regulation?
There is much anticipation on how the law is going to be implemented. One thing is clear though, any business violating the regulation will be slapped with fines. The suggested penalty is at 2-4% of the annual growth of the company or 20 million pounds.
These fines will not only be imposed on businesses but also third parties such as cloud vendors associated with EU citizens data.
How to avoid fines under GDPR?
If your business is among those affected by the new regulation, then you need to come up with clear-cut strategies that outline how you process your customer’s data. This has to start from within your company and with services you use from vendors.
You need to sit down with your IT experts and come up with how you will process, share and retain data of your customers. Some of the critical roles identified by GDPR are:
- Data controller
This can be a person or a corporation that is in charge of particular data of specific individuals. A good example is the banks, they receive and process information from customers. In some cases, companies can have joint controllers when they have branches in different locations. Multinational banks may be under one name but each local bank processes data individually in each country. As such can be referred to as joint controllers.
- Data Processors
Businesses hire corporations on a daily basis to undertake tasks for them. So when you hire another company to process data of your customers or employees, the company is called data processor. This can be cloud companies, web hosting services, content mills etcetera. If you use such services, you should coordinate with the company in question to ensure that you comply with GDPR.
- Data Protection Officer
To ensure compliance with the GDPR, companies will need to create a Data Protection Officer position. This can be an already existing employee or a new addition to the team. The person will be in charge of streamlining processes within your company to ensure compliance.
- Data Protection Authority
This an individual who is charged with monitoring General Data Protection Regulation compliance within EU member states. Each country within EU will have its own Data Protection Authority who will also address complaints from citizens regarding their personal data and fine companies who violate the regulation.
If you have no idea where to start, you can find companies established to help businesses transition into GDPR compliance before the due date. Of course, these businesses are only a few months old, so you need to find one that will actually meet your business needs.
Companies exempted from GDPR.
There are always exemptions to any rule, right?
If an entity processes personal information of EU citizens due to national security reasons, then they are the exemptions in this case. Also, law enforcement authorities are not restricted under GDPR.
How about businesses operating in the UK?
The UK plans to officially leave EU as from March 29, 2019. It is unclear if the UK will partake in the GDPR or it will come up with its regulations regarding UK citizens data.
Is your business affected by GDPR? How are you preparing your business and your employees to ensure compliance?
Image source: Pixabay