This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.
The implementation of General Data Protection Regulation (GDPR) will be in all local privacy laws in all nations within the EU and EEA region. The regulation will be applicable to all companies that store or sell personal information of the citizens of European countries including companies that are based in other continents. Through this, citizens of the EU and EEA area will be offered more control over their personal information and can rest assured that there is enough security for their personal data across Europe.
As directed by the GDPR, a name, an email address, a picture ID, social networking updates, medical data, bank details, IP address of a computer, geographical data, and other information about a person are referred to as the personal data.
According to the GDPR, the rights of individuals include:
- Right to access
It is within the right of individuals to ask for access to their personal data and demand for information on what their data are being used for by the company after the information has been collected. If an individual makes a request, a copy of the personal data must be provided by the company in electronic format without charging any fee.
- Right to be forgotten
If consumers withdraw their consent from the use of their personal information by a company or stop doing business with the company, it is within their right that the information collected be deleted.
- Right to data portability
It is within the right of individuals to transfer their personal information for a company providing any service to another. The transfer of the data must be done in a machine-readable format that is commonly used.
- Right to be informed
Individuals have the right to be informed by companies before any personal information about them is collected. Consumers have to choose for their personal data to be collected. The consent for the gathering of the data must be given willingly and freely by the consumers rather than being implied by the companies.
- Right to correction of information
If the data gathered is incomplete, out of date or incorrect, individuals have the right to have their personal data corrected or updated.
- Right to restrict processing
It is within the right of individuals to restrict the processing of their personal data. The record of individuals can remain with the company, but must not be used.
- Right to object
Individuals have the right to stop the processing of the personal data collected for direct marketing. This rule has no exceptions, and once the request is received from the consumer, any processing must be stopped. Also, individuals must understand this right from the beginning of any communication.
- Right to notifications
In case there is a breach of data that leads to the compromise of the personal information of any consumer, it is within the right of such consumer to get information about the breach within 72 hours.
Non-compliance with the GDPR amounts to a fine of 10 million Euros or 2% of the global annual turnover of the company, whichever of the two fines is greater.
- Name, ID numbers, address and other basic identity information of a consumer
- Location, cookie data, IP address, RFID tags and other web data
- Biometric information
- Health and genetic data
- Political belief or opinion
- Ethnic or racial information
- Sexual orientation
By May 25, 2018, each company must comply with the GDPR.
If your company does not currently have a GDPR compliance program, it is essential for you to understand whether the GDPR compliance affects you or not. The absence of your company in the EU region does not necessarily mean that you are not subject to the regulation. The personal information of the citizens of the EU is covered by the regulation of the GDPR, so if your company collects information from EU citizens, it must be in compliance with the GDPR.
As directed by GDPR Implementation Guide of the ISF, the application of the regulation affects any company that is established:
- In the EU region
- Outside the EU region, but aims at goods or services that involve the collection of data of individuals in the EU region
- Outside the EU region, but is concerned with the tracking of the activities of consumers in the EU region
According to the GDPR, organizations are classified into two groups:
- Data controller – an organization or individual that is in charge of determining the reason for the collection of data
- Data processor –an organization or individual that utilizes the data collected on behalf of the data controller
Many times, one organization may serve as both the data controller and data processor.
For a better understanding of the commitments of your company to the GDPR, it is important for you to know whether your company is a data processor or a data controller. Answer the three questions below to understand the stand of your company:
- Does your company collect, store or process personal information collected from citizens of the EU?
- What are the elements of the personal data that your company stores?
- Does your company utilize the personal data collected and stored under its control?
According to GDPR, you are only a data processor if you only answer the first question with a “yes”. However, if your answer to the three questions is “yes”, you are committed to the GDPR.
Whether you are a data processor or controller, the storage and protection of the personal information collected from consumers must comply with the GDPR.
Your ability to ensure that you are protected against loss of data, backup, and recovery failures as well as solving the problems associated with those failures is a proof of your ability to guarantee the integrity, security, deletion,and accessibility of the personal data of consumers. These possible failures are classified into three groups, namely:
- Device errors
These are the physical errors that affect storage hardware devices such as data centers, hard disks, and storage controllers. For instance, if hard disks are exposed to magnetic fields accidentally; hence, the data on the hard disks are erased.
- Software or logical errors
These refer to man-made errors. They usually include errors such as accidental overwriting or erasure of files (e.g. carrying out a backup procedure), unintended erasure of the master boot record of a hard disk, or unintended corruption of data (e.g. in case of presence of a bug in the business application or script).
- Security breaches
These include failures due to malicious attacks on the network, applications, servers, devices and other IT infrastructure, which may be carried out by cybercriminals, state hackers, or disgruntled insiders. For instance, there may be a malicious, ransomware attack that encrypts the data on a hard disk and demands for financial compensation before the decoding key is released.
Since it is possible for data to be transferred away from the EU region, GDPR seeks to ensure that the right of the EU citizens is protected irrespective of the place where the data goes. Therefore, GDPR makes sure that any company that has access to the personal information of EU citizens is under the subject of these rules. Whether a micro or multinational company, no business is exempted from the rules no matter its size.
To ensure compliance, Indian company can choose to either make sure EU usersare completely blocked (a multinational brand cannot do this) or institute processes that guarantee compliance.
- Broad jurisdiction
Irrespective of where an EU citizen lives, the regulations are applicable to any companies that process the data of EU citizens.
- Stringent penalties
Any breaches of the rules can attract penalties of as much as 20 million Euros or 4% of the annual global turnover of a company. Although not all breaches are expensive, each has a stringent penalty.
- Easy-to-understand and improved consent from data subjects
Consent must be presented in a simplified and accessible form that the subjects can easily understand, and has a written purpose that the subject can sign off on. An easy way for the user to change their consent must also be provided.
- Mandatory breach notification
If there is any data breach that can infringe the right and freedoms of the consumers, notification must be made within 72 hours of the discovery of the breach. The individuals must be also notified by the data processors once they are aware of the data breach without unwarranted delay.
- A reiteration of vital consumer rights
These rights include the right of the data subjects to be provided copies of their personal information and data that show how it is being used as well as the right for the information to be forgotten which is otherwise referred to as the Data Erasure. Also, the rights allow the transfer of the personal information from one service provider to another by the data subjects.
- Improved systems
For compliance with the main foundation of privacy by design, it has been mandated by GDPR that processes should be built with a focus on data protection instead of being merely treated as an addition.
- Specific protection for children
Because of the vulnerability of children as well as their lack of awareness of risks, parental consent for children of age 16 or below has been included in the GDPR guidance.
Below are a few fundamental points that should be considered when creating a plan:
- Integration of the marketing and IT departments
Your IT department will be your most dependable department when considering the need for specific monitoring and implementation of your plans and the risks of cybercrime. Companies utilizing Martech technology will now see the need for them to invest in and utilize more secure and personalized IT solutions that ensure that they are in line with the regulations as well as the trust of the consumers.
- Get the services of a Data Protection Officer (DPO)
According to the GDPR, the data controllers and processors are liable, and small operations are not required to hire any data officer. However, hiring the services of a data officer is a worthy investment that should be considered. The risk may be too colossal for your company. The only message the GDPR continues to reiterate is: the information of the consumers must be kept private. Therefore, whatever actions you can take to ensure you comply with this are worthwhile.
- Thoroughly audit the current security system of your data
The most prominent way to guarantee that you comply is that your current data system is accurately assessed. Through this, high-risk areas can be identified and any risky areas can be corrected before the regulations are being enforced.
- Teach your staff the importance of privacy
Most of the responsibilities attached to compliance with the regulation concerns your security staff; however, everyone who has access to personal data should be knowledgeable of the GDPR. Staff to be educated should include those interacting with new users or customers, those in charge of data entry as well as those maintaining the CRM systems.
- Build tools that guarantee privacy
From time to time, different companies are coming up with fictitious solutions and other methods that ensure they comply with the regulation. You should work with your IT department as well as your Data Protection Officer (DPO) to create a unique solution that suits your needs.
- Worth with GDPR-compliant third-party providers
Your CRM service provider, your email service provider, your marketing and PR agencies and other third-party providers should be involved. The breaches made by the third-party processors you work with can be held as your responsibility. Therefore, all aspects of your data processing must comply with the regulation
May 25, 2018, which has been stipulated as the GDPR introduction date, is fast approaching as well as the attached penalties if anyone fails to comply. Therefore, steps can and should be taken by all businesses, service providers and institutions serving the needs of EU citizens in preparation for the regulation. Foremost, there should be an understanding of the definition of how individual data protection rights are strengthened and extended by the GDPR in comparison to the previous regulations that protect data which include the 1995 Data Protection Directive. Get used to the new terminology in use by the new regulations of GDPR so as to have a deeper knowledge of your stand. The compliance challenges should be first implemented so that your privacy and data protection can be closely reviewed. Finally, your service, data protection,and storage must be in compliance with the new requirements of the GDPR.