The Internet totally changed the way of our lives. Every day we send dozens of emails, chat with our friends in social networks and post our photos to Instagram. However, have you ever thought how much personal data is being affected while this “simple” operations?
We all remember the Cambridge Analytica and Facebook data scandal when up to 87 millions users were affected. Since that moment, data protection and privacy issues have never been taken so seriously. The day, when data laws will never be the same, is just around the corner. On the 25th of May this year, the General Data Protection Regulation (GDPR) will become legally effective. How will it affect your business? What are the new rules? And how to make your business comply with it? These questions are the main points of this episode.
What is GDPR?
General Data Protection Regulation is a regulation in EU law that was created with the main goal of protecting the personal data of EU citizens. According to this regulation, businesses need to ensure they have specific measures in place to protect data and stop or minimize the chances of data breach as well as increasing accountability when such breaches occur.
Why was GDPR introduced?
One of the main and probably the most obvious reason of GDPR introduction is related to the fact that such giant corporations as Facebook, Twitter, and Amazon provide their services for free, as long as users are agreed to offer them their data. So the main goal is to combine the data protection law with the way users data is being collected and used. Remember the Facebook and Cambridge Analytica scandal? That’s only one of the possible scenarios of granting such vast numbers of permissions.
Put simply, GDPR is aimed at regulating the ways organisations use the internet and cloud to process users data.
What are the new requirements?
The new regulation is the evolution of already existing data rules. GDPR adds new requirements for documenting IT procedures, performs risk assessments under certain conditions, notifies both the authorities and consumer about the data breach and strengthen rules for data minimization. So let’s look at what GDPR will introduce:
- Breach notification. According to this requirement, all companies will have to notify their data authorities within 72 hours after the potential data breach. In case, the data relates to the category of “high risk to the users rights and freedoms”, the data subjects should also be notified.
- Personal data access. Basically, this means that individuals can demand the companies to provide them with information the way their personal data is being gathered/processed as well as asking how their data is used by the company after the data collection. The companies, in their turn, will have to provide their users with a copy of the personal data, free of charge and in electronic format, if needed.
- Restrict processing. Individuals have the right to require that their data won’t be used for processing. In this case, their data will remain in place, though it won’t be used.
- Delete all the data. In case users don’t use the company’s services anymore or they want to withdraw their consent from the company, they can demand the company to delete their personal data.
- Stop the processing. Users can and have the right to stop the processing of their data for the direct marketing.
- Data portability. This allows users to transfer their data from one service provider to another.
- Correct information. According to this one, individuals have the right to have their information to be updated in case they found it incomplete or incorrect.
- Individuals must be informed. Users have the right to be informed whenever the companies gather information about them. Additionally, companies need to have a consent from users that would allow them to gather their personal information.
GDPR for businesses
The new regulation will affect any business/companies that operate within the EU. However, this also applies to those companies that operate outside of the EU but offer their services to customers or businesses placed in EU. Put simply, if your organisation is not in the EU but deals with the data belonging to EU residents, it might be “under the gun.” And this relates to the majority of world corporations that will need to adapt to GDPR.
So the legislation applies to several types of data-handlers: to “controllers” and “processors.” A processor is a party that is responsible for the data processing, while the role of a controller is to state how and why the users data is processed.
The Controller’s goal is to make sure that their processors abide by the data protection requirements. Processors, in their turn, have to abide by these requirements and maintain the records of their processing activities.
Remember that GDPR is not only an IT issue. This regulation has broad-sweeping implications for the whole company, taking into account the way companies handle their marketing and sales activities.
Once again, GDPR applies to all businesses holding and processing EU resident’s personal data, regardless of their geographic location.
GDPR for consumers
First and foremost, the regulation will provide users with the right to be informed when their personal data has been hacked/stolen. And a huge fine will serve as great motivation for the companies to notify the appropriate national bodies about the data breaches as soon as possible.
Besides, it’s believed that there will be easier for consumers to get to their personal data in terms of how it’s processed. The companies, in their turn, need to report how they process and use the customers information in an easy and understandable way.
Another advantage for the customers is that GDPR should establish the right to be forgotten. This right will provide users with the additional rights and freedoms as they’ll be able to demand the companies to stop processing their data or to have it deleted.
Bearing that in mind, companies will have to be much careful in terms of personal data. For example, organisations will have to be able to prove that their users agreed to certain actions, even to receive a newsletter. And this can totally change the way all the marketing activities are managed. All the data held, need to have information that describes what the contact opted into and how.
What do I need to do to comply with GDPR?
The main goal of GDPR is to improve data security and privacy rules among organisations, especially when it comes to personal data protection. So what you’ll need to do is to audit your current data protection measures at your organisation, make sure all your data collection and procedures are GDPR-compliant, as well as keeping the records of all the information you have.
Remember that this is not an easy process that might require much time and resources.
Additionally, you’ll need to make sure you have a proper security alert system that is capable of spotting the data breaches within the shortest period of time. This is crucially important as data breaches will have to be reported within 72 hours, according to GDPR. Besides, you’ll need to appoint a data protection regulation officer (if your business is in the EU), who’ll be monitoring the way you handle and process users personal data.
Some businesses might turn a blind eye to all these requirements. In that case, they might need some cash. Just FYI, the punishment for neglecting GDPR will lead to a fine of up to 20 million Euro or 4% of global annual turnover!
On the other hand, there are some benefits too. The European Commission is sure that by having a single supervisor authority for the entire EU, it’ll make it simpler and cheaper for businesses to operate within the region. Additionally, it’s believed GDPR will allow saving 2.3 billion euros per year across Europe. What is really cool is that the regulation will guarantee that all the products and services will be built according to the strict data protection requirements. This will allow providing data protection by design in new products and technologies.
This will also be a great motivation for the companies to adopt new techniques in data protection with the main goal of getting the benefits from collecting and analysing personal data. At the same time, this is a big step for protecting the personal data.
The Bottom Line
As soon as General Data Protection Regulation gains its legal force, the way companies/consumers feel about the personal data will be never the same. However, the main question: “Will it be better for the better or for the worst?” is still remained unanswered. We can only guess, for now.
What we do know is that if you want to comply with GDPR requirements, today is the right time to start. May 25 is getting closer every day. So spend some time on identifying your weak areas and developing an action plan for preventing any data breaches.
Here’s a little advice for you. Try to put yourself in the position of your users. How would you like your personal data to be gathered/processed? Do your best to make your business as secure as possible and the rest will allow.
Remember that you don’t have to be afraid of anything if your business is transparent about the way the individuals data is used. In that case, GDPR will become your best friend!