The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and it sets out to protect the rights of EU citizens by giving them greater power over their data and make companies more transparent and accountable in how they deal with sensitive information. Before its implementation, the misuse of a person’s data was punishable by a slap on the wrist. Today, massive fines are issued against companies that fail to comply. In fact, those who are found guilty of mishandling data can be fined up to millions of dollars in worst case scenarios.
The GDPR has been pushing organizations to improve their data protection practices. Companies like Facebook, Google, and even Slack have been updating their terms, rewriting contracts, and rolling out new data tools to prepare for the massive shift in compliance. Still, for many companies and individuals, the GDPR remains somewhat an obscure policy riddled with vague stipulations. Here’s everything you need to know about it:
- What is the GDPR?
- Are you affected?
- Key terms
- Penalties and fines
- Changes you should make to comply with GDPR
- How can your business be GDPR-compliant?
What is the GDPR?
Related article: What is GDPR and how does it affect your business?
The GDPR is a new regulation created by the European Union (EU). It replaced the Data Protection Directive 95/46/EC and aims to regulate the processing of the personal data of EU citizens or individuals residing in EU member states such as Iceland, Norway, Liechtenstein, etc. It is also designed to have a wider scope especially in major areas of the current cybersecurity landscape. Some key changes include:
- Increased territorial scope – The regulation applies to all organizations processing the personal data of data subjects residing in the EU, whether or not the processing itself takes place in the EU. Essentially, this means that companies all over the world are affected as long as they process the personal data of EU citizens.
- Penalties for regulation violation – Non-compliance will lead to fines according to the scope and type of an organization’s infringement. A supervisory authority will assess the violation and determine the type of penalty to be imposed.
- Transparent and concise consent – Companies are mandated to use clear terms and conditions and will no longer be allowed to use complex forms to request consent from customers. Forms should come in an easily accessible format, using clear and plain language. Additionally, consent must be explicitly given and customers must be able to withdraw that consent anytime.
- Access rights – Customers should be able to obtain confirmation from companies as to whether or not their personal data is being processed, where, and for what purpose. The company must also be able to provide a copy of the customer’s personal data, free of charge.
- Breach notifications – In the event of a data breach, organizations must immediately notify supervisory authorities and their customers within 72 hours after the discovery of a breach.
- Deletion rights – This pertains to the “right to be forgotten,” which allows the customer to have the company erase their personal data. This right can be claimed under certain conditions: withdrawal of consent where the data is no longer relevant to the original purposes of processing, and will be subject to public interest or national security concerns.
- Data portability – Customers should be able to receive and transmit in a common and machine-readable format any previously obtained personal data to another company
- Privacy by design and default – This means that each new service or business process that uses personal data must be protected. By default, the strictest privacy settings should automatically apply once the customer acquires a new product or service. For example, if a user signs up for Facebook, no manual change to the privacy settings should be required on the part of the user.
- Data Protection Officer (DPO) – Considered a critical GDPR cornerstone, the DPO will act as an intermediary between the organization, supervisory authorities, and customers. Keep in mind that only certain organizations are required to hire a DPO.
Who are affected by the GDPR?
Related article: Implementation challenges to GDPR
The GDPR first and foremost affects EU citizens. Organizations that deal with the personal information of EU citizens must adhere to GDPR security best practices regardless of size and location.
Companies that perform data processing for other businesses also fall under the scope of the GDPR. This makes them as accountable as the businesses that utilize or commercialize the personal information of EU citizens. For instance, a cloud provider to whom a firm outsourced storage is also affected by the regulation.
Key terms of the GDPR
Companies around the world are still struggling to fully comprehend the GDPR. It is, in fact, a massive piece of legislation and it could be challenging to understand everything all at once. Below are some principle terms you need to learn:
- Personal data – This refers to any information related to an individual. It includes names, addresses, photos, social media posts, bank details, or even fingerprints.
- Data controller – This is the person who decides the purpose for which any personal data is to be processed and the way in which it is processed. This can be decided by one or more persons.
- Data processor – These are third parties that process data on behalf of the data controller and includes IT service providers.
- Data subject – When data relates to an individual, they are known as the data subject. This could be your customer or you, or anyone identified with the data in question.
- Consent – Under EU data protection laws, individuals can authorize how their data is processed and managed.
- Biometric data – These are personal data related to physical and behavioral features of a person that allow them to be identified.
Penalties and fines
Related article: GDPR: Benefit or burden? (What happens if you violate GDPR)
As far as violations of the GDPR are concerned, the EU takes a two-tiered approach to fines depending on the type and scope of infringement. The first penalty is set at up to €10 million or up to 2 percent of the company’s global annual turnover for failing to report a data breach to the Information Commissioner’s Office (ICO) within 72 hours of discovery. Note that the disclosure should outline the nature of the data that’s affected, how many people are impacted, what the consequences mean for them, and what measures you’ve taken.
The second tier is set at up to €20 million or up to 4 percent of the company’s global annual turnover. As stipulated in Article 83 of the GDPR. this is the maximum amount that can be imposed on companies found and proven to have violated certain GDPR provisions.
What changes should you make if your business is within the scope of the GDPR?
Related article: Tips for maintaining GDPR compliance
By now, you should be taking compliance more seriously and adapt to the changes. Review what is required, and adjust your security strategy accordingly. The following tips will give you a head start:
Be alert and consistent in reporting any incident of data breach to the GDPR supervisory authority in your country within 72 hours. Make sure to notify your customers, especially those who could be at risk of having their rights or freedoms infringed upon.
- Perform privacy impact assessments to identify privacy risks when collecting, using, processing, and disclosing personal data.
- Simplify end user license agreements and terms of service. Make sure that you are using clear and plain language and that it could be easily read and interpreted.
- Make sure your customers can easily withdraw consent.
- Delete your customer’s personal information from your database upon their request.
- Implement customer data protection in your systems. This is the concept of data protection by default and by design as put forth by the GDPR.
- Appoint a DPO if your company carries out large-scale data practices.
How can my business be GDPR-compliant?
Your company should implement internal controls and procedures. Seek legal advice to determine if you need to hire a DPO or not and to help you understand the scope of data protection in terms of legal and information security. Conduct extensive research and invest in surveys to get a clearer view of where you are in being GDPR-ready.
Deploy well-established security technologies such as encryption, firewalls, network security, logging and monitoring of your data and systems. Consider hiring an experienced IT provider like Prosum to fill the gaps in your infrastructure, help defend your company from cyberthreats, and keep you in compliance with the GDPR. For more information, updates, and solutions for GDPR compliance, visit our website or give us a call today.