Data piracy. Right to privacy. Cyber security. These three words have been making buzz in the Internet world for quite a long time.
While customer-centric companies have always placed data protection high on their list of priorities, the recent controversies revolving around companies selling customer data for business gains or crossing the limits to offer personalized offerings all have led to a new awakening. Consumers, customers and public institutions are questioning the ‘goodwill’ with which businesses collect, store and utilize user data.
The Europe Union happens to be the epicentre from where the warcry for better data-protection laws is heard loud and at large. The General Data Protection Regulation (GDPR) is a result of it. Once it becomes effective from May 25, 2018, it will have a transformative effect on data protection effects. The positive effect will not be confined within the boundaries of the European Union but will also send its ripples throughout the globe.
GDPR – Key Points In a Nutshell
Broadly, GDPR is harmonizing the existing data-protection laws currently prevailing in the European continent. Additionally, it would also go on to expand the reach of the laws by introducing new compliances, many of which are being flouted by enterprises.
The non-compliance of GDPR will attract severe penalties, as much as 4% of worldwide turnover or €20 Million, whichever is higher (gdpreu.org).
Here are the core requirements that an organization must comply to prevent fines and penalties.
Documentation
All data collected from users must be documented and kept ready for regulatory scrutiny when asked for.
Legal Basis
The data collection should have a legal basis, like the fundamental need to fulfill a contract and a consent of the data subject to collect such data.
Rights of Data Subjects (Users)
Users should be vested with rights of data erasure (right to be forgotten), right to revoke consent, right to restrict processing, etc.
Security
The organizations are responsible to ensure proper security for the data through encryption or other similar methods for safe handling of the data.
Third-party Management
Organizations should require their outsourcing partners, vendors and suppliers and other third-parties also follow the regulation in same terms as is applicable to them.
Privacy
Software product engineering initiatives in the works should include privacy protection systems right from the initial steps.
Notification for Breaches
In the event of any data breach which are potentially serious enough to risk the user’s rights and freedoms must be notified to authorities within 72 hours. The users must also be notified subsequently if such notification is required.
Five Easy Checks Merchants must take to ensure GDPR Compliance
#1 Gain explicit consumer consent
GDPR lays down three major conditions for obtaining consumer consent.
- The consent must be freely given, must be specific and without any ambiguity.
- The organization must be able to establish that the subject (user) provided consent.
- The subject should be vested with the right to revoke their consent anytime.
Ever since the GDPR discussion started gaining momentum on the Internet, consumers have been receiving a torrent of emails from their service providers informing tweaks in privacy policies and terms and conditions. It is better to gain explicit consumer consent before the deadline ends on May 25th 2018.
#2 Have a system for breach response in place
Art. 33 of GDPR lays down that, in case of a personal data breach, the controller (the organization) must notify the same to authorities and in some cases, even users of the same within 72 hours. To ensure that the notification happens in due time without any undue delay, there should be a breach response system in place.
#3 Train employees about GDPR and its influence
Despite the massive press coverage and the steady flow of conversations, most employees are still on the dark about GDPR and how it applies to them. You need to train them to make them understand its real-world implications. Especially, if a business has cross-functional teams working across the borders, the need for training and understanding of GDPR is a must-have.
#4 Ensure employee data inclusion
Be informed that employees are also covered under GDPR. Employers have to obtain consent from employees to collect and process data from them. Ardi Kolah in his ‘The GDPR Handbook: A Guide to Implementing the Eu General Data Protection Regulation’ advises businesses to issue a ‘Data Privacy Notice’ that explains in plain English what constitutes personal data, how it will be processed and the authority employees should approach in case of concerns.
#5 Ensure Data Protection Officer Independence
If your business:
- is a public authority
- if you are systematically following individuals through data monitoring
- Or carry out large scale processing of special categories of data,
Then your business needs to have a Data Protection officer. DPOs usually report to the top rank of management and are vested with specific rights, including the right to non-dismissal or penalty for performance of their duties.
In other words, GDPR lays down that DPOs must be provided adequate independence to perform their roles and responsibilities.
The Next Few Days
The clock is ticking and the dates are flying. We are inching closer to one of the biggest milestones in the history of Internet. When GDPR becomes applicable from May 25th 2018 onwards, it will be a huge leap for the entire Internet community.
GDPR has a long list of requirements that enterprises must tick off to be compliant. It definitely requires serious heavy-lifting and long hours of discussion with your attorney and many number of coffee cups. Even if you cannot get over all the requirements, it is possible to prioritize and get compliant in the most critical areas.
5 such critical areas are outlined above. You can mark it as your flag-off point from where rest of the GDPR journey can continue. To sum it up, make sure you are on the right side of the law.
