GDPR – The EU regulation with the global implication
GDPR recently became quite a popular topic and everybody seems to be talking about it. Having this in mind, I decided to summarize the most important things you need to know about it below:
#1 What is GDPR?
The General Data Protection Regulation, also known as GDPR, will be a radical overhaul of the 1995 Data Protection Directive and it is also said to be the biggest change in data protection laws for the past 20 years. The GDPR is designed to give back the control of all EU citizens over their personal data obtained by organizations and businesses. The GDPR will consist of a set of rules governing the security and privacy of personal information.
#2 What is referred to as personal data?
Personal data is each piece of data which could be used to uniquely identify a person or data that is about an already identified person. Also, all data that in one way or another has been obtained by a company from a third party or based on a consumer’s activity on a company’s website. (Bozho, 2017)
The GDPR will become enforceable on 25th of May, 2018
#3 What will the GDPR represent?
The GDPR will represent a new set of rules laid down by the European Commission, governing the privacy and the security of personal data of individuals living and working in the EU. These rules aim to protect the data privacy of all EU citizens and also to reshape the approach of organizations towards data privacy. In other words, consumers’ control over their personal data will increase.
#4 Who will the GDPR concern?
It will concern almost everybody – the laws must be implied by all companies who hold data belonging to anyone living in Europe, no matter of their location. In other words, GDPR concerns companies worldwide – it has a direct impact on any enterprise that sells goods and/or services to EU citizens.
#5 What about those companies which do not comply?
Companies could face fines running into tens of millions of Euros if they breach the new directive. Organizations in non-compliance will face heavy fines up to 4% of their global turnover or 20 million Euros, whichever is greater. Also, non-compliance will also be quite damaging to a company’s reputation, having in mind that privacy and consumer trust are paramount.
#6 So, what should you do as a company?
Of course, you should take action as soon as possible. But what kind of action you may ask? Well, I got that covered for you below!
But before that, let us clarify what is referred to as the Data Subject, the Data Controller, and the Data Processor:
- The Data Subject: The Data Subject is referred to any EU-citizen to whom you hold personal data. These are all your customers and all your users. Your employees too.
- The Data Controller: Well, most likely, that’s you – the company whose customers have entrusted with their personal data. You are the one who owns that data and controls it. And having this in mind, you become the responsible party when deciding what happens with the data, for what it’s used and how it’s handled.
- The Data Processor: The Data Processor is any third-party that processes the data on behalf of the Data Controller.
#7 And what are the rights of the Data Subject?
- Right to be forgotten (or right to erasure) — Data Subjects can request for their data to be erased when it’s no longer necessary for the original purpose.
- Access & rectification— Data Subjects must have access their personal data and they must be able to modify it.
- Portability— A Data Subject must be provided with all personal data a Data Controller holds about them, in a portable format.
So, having this in mind, here is what you should do:
- You should have a method which enables you to delete all personal data you hold about a user.
- You should notify all third-parties for data erasure – a Data Controller and a Data Processor are equally liable for the personal data they hold about a user. In other words, you are responsible not only for the personal data on your system, but also for all the data you have pushed to third parties. So, if a third-party processor is not in compliance, neither is your organization.
- You should enable your users to receive all the data you hold about them.
- You should enable users to edit their profile, even if the data you have collected about them is from other sources (for example if you have collected their personal data via “Login via Facebook”). Users must be able to edit all the data you hold about them.
- You should have an “Export Data” button, allowing users to export all their personal data that you hold about them.
- You should delete or anonymize all user data once it’s not needed. For example, if you had collected a data for shipping a product, it should be deleted/anonymized as soon as it is not needed anymore.
Having this in mind, you will be required to protect all the personal data and privacy of EU citizens, no matter of your business’ location. The sooner you take an action, the better.
You should ensure that all the data you collect and process is by using the customer’s consent. This consent should be freely given, specific, clear and unambiguous. In other words, if a customer has explicitly agreed to provide you with personal data for a marketing campaign, for example, you cannot use this data later to directly sell products/services to this customer.
You should also check how your company is storing all the personal data and to ensure your data storage methods are accurate and strictly complied. You should also ensure that each and every employee in your organization, who handles that personal data, is acquainted with all the changes and understands what these changes mean. Lastly, you should ensure that any third parties who handle your personal data are GDPR compliant or they will be by the time the GDPR becomes enforceable.