You don’t really need to read this, unless you have an EU based company or you have at least one customer in EU or you are just curious to learn what GDPR is all about.
Running your business nowadays means dealing with lot of data in order to come up with the best decisions, but dealing with large amounts of data can be quite dangerous and the question is how do we know if we store more than enough?
The things can get quite messy and even more dangerous when you have sensitive data such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or or sexual orientation.
I don’t care!
Well, you should care. The more time we spend on the Internet, the more data we give to third parties, the more we are exposed to vulnerabilities that we are even not aware of.
At the same time, many would argue that we already have mechanisms and regulations for data protection, but let’s breakdown GDPR and see how this new regulation is different than what we have right now, and how GDPR can protect your customers, or affect your business.
OK, tell me more.
Fine. But before we dive into explaining GDPR, we have to understand the current situation.
Data Protection Act
Currently, we have something called Data Protection Act (DPA), dated 1998, but back then the Internet wasn’t quite as big as today. The tools were pretty basic, the services were pretty basic, most of the work was done offline, rather than online, therefore the data protection acts, principles and rules were pretty basic.
It’s been 20 years since then, and the Internet has grown and the game has changed, therefore we need new protection regulations.
Particularly DPA was applicable only in the UK, and it was a matter of choice of individual countries, but for example, there is no requirement for an organisation to remove all data they hold on an individual no matter of the sensitivity.
You may have heard of the Cambridge Analytica scandal and the data the someone took out from Facebook through various applications, and sold it for a purpose that’s different than the initial purpose on which we as users gave consent for. And no one knows with whom else your data has been shared for other purposes.
With the new regulation called General Data Protection Regulation (GDPR), the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) as well as address the export of personal data outside the EU.
In short, if you hold data for at least one citizen of the EU, no matter where your business is located, then you are affected too.
I’m pretty sure we have at least one EU customer, what should we do?
No worries, we got you covered on this.
But let’s first break down the basic principles of GDPR.
1. Lawfulness, Fairness, and Transparency
These dictate that the personal data needs to be processed in a way that is lawful to the subject.
2. Purpose Limitation
The data processors can only use the data for the objectives they’ve explicitly described and justified.
3. Data Minimization
The information that is required has to be relevant to its purpose and limited to what is necessary.
4. Trueness, Accuracy
If some of the data is inaccurate, it should be removed or rectified.
5. Storage Limitation
Data is kept in a form which permits identification of persons for no longer than is necessary for the purposes for which the personal data is processed.
6. Integrity and Confidentiality
This principle stands for taking all required measures to ensure all the personal data is protected.
Breaking any of these principles will result with fines between 4% of your organization’s annual global turnover or 20 million Euros, whichever is higher. But more importantly, you don’t want to expose any of your user’s sensitive data. You suppose to protect them in the best way possible.
So what does it mean to be GDPR compliant?
These new regulations will take effect in less than 2 months and if you haven’t prepared you and your company about the new data protection principles here are 10 summarized steps of what it takes to achieve GDPR compliance.
1. Understand what GDPR is.
If you are reading this, you are probably already familiar with the GDPR. If not, you can find tons of information available on the Internet, including the official EU website for this regulation where you can inform and stay up-to-date with the latest news regarding GDPR.
2. Inform everyone in your organization.
You must prepare your organization for the upcoming regulation, meaning what actions should be taken and what are the risks of failing to comply. All responsible and related to this compliance and data processing will have to understand their obligations.
3. Inventory of personal data.
Become accountable by having an inventory of the personal data you hold until this moment. This inventory will help you answer several questions like why are you holding it, since when you have it, how did you obtain it, how secure it is, is it shared with third parties and so on.
4. Review of your current personal privacy rights.
The subjects that have provided their data to you have multiple rights pertaining the way you collect and hold their data. Make sure you are up-to-date with the new changes and plan accordingly.
5. Inform staff and service users.
These regulation changes affect personal data regarding your staff, clients and service users, too, thus you need to make them informed for their data subject rights.
6. Make sure you are aware of legal grounds.
GDPR strengthens the rules for getting and keeping the consent and your organization have to prove that you have a legal ground to process data. You have to adjust their data collection policies in an appropriate manner.
7. Change your consent requests.
In near future, the consent will be the most appropriate lawful ground and you must educate yourself how it must be sought. Here is what GDPR lists as specific requirements for lawful consent requests.
8. Handle child consent policies properly.
According to GDPR, children cannot give lawful consent since they’re less aware of the risks, consequences and safeguards of sharing their personal data. Data controllers must know the age of consent in particular countries and avoid asking consent from anyone under that age because the default age differs from country to country and varies between 13 and 16.
9. Plan for data breaches.
As this is the one of the greatest challenges that GDRP imposes organizations, in case of data breach, your company must report to your specific supervisory authority within 72 hours of discovery with as many details as possible.
10. Appoint data protection officer.
This person is responsible for overseeing organization’s data protection strategies and compliance program. Even only some organizations need to appoint DPO, it has been stated as recommendation that you should appoint one as a good practice.
GDPR was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.
As initially stated, GDPR is all about strengthening and unifying data protection for all individuals within the European Union (EU) as well as addressing the export of personal data outside the EU.
At GSIX, we’ve been helping businesses become GDPR compliant. As the enforcement date is approaching very soon, we are offering free consultations and useful advice to help you become GDRP ready.
Schedule your free GDRP compliance check in the form below.