Businesses owners around the world know that Europe is now protected by the European General Data Protection Regulation (GDPR) –May 25, 2018, as the date when it was signed. 

But chances are likely high that they all have the same question: What does GDPR mean to my business and since the deadline has passed can we breathe easy? 

To break down the truth, GDPR is indeed complex legislation that can appear difficult to comprehend. Any company, big or small will have to comply with new regulations regarding the secure collection, storage, and usage of personal information. What’s more, violations will be met with fines.

To make things simple, we have come up with a definitive guide to make you familiar with the nitty-gritties of GDPR, how it applies to your business and what steps you can take to be GDPR compliant.

Setting the Stage: What is GDPR?

The General Data Protection Regulation (GDPR) is a series of laws that were adopted by the European Parliament on April 2016, replacing an outdated data protection directive from 1995. 

It is a regulation that requires businesses to protect data and privacy of the citizens of the European Union, who transacted with them. 

At the same time, it empowers citizens with greater control over the data they share during transactions and use of services.  Citizens have the power to request access to their data and even withdraw consent.

Whom does GDPR apply to?

At its core, GDPR applies to every organization operating under EU as well as to organizations outside the EU offering goods and services to businesses or customers in the European Union. 

This simply means every major organization in the world that holds any data of EU citizens, from personal information such as credit cards numbers to even a simple a photo of the citizen needs to stay compliant with the GDPR.

C:\Users\Priyam Tolani\Downloads\Flowchart_gdpr.png

                                    A simple illustration to determine if GDPR affects you or not.

Why GDPR does exists?

The reforms under GDPR are designed to reflect the world we are living in at present, which also brings in-laws and obligations centered on personal data, privacy, and consent. 

The two reasons which can be attributed to the introduction of GDPR are:

  • GDPR brings data protection legislation in line with ever-changing ways of data consumption, for example, the way that companies such as Google and Facebook now swap access to their customers’ data in exchange for their services.
  • The earlier legislation- the Data Protection Act 1988- was introduced prior to the use of internet and invention of cloud-based services and hence had turned obsolete with regard to associated security issues such as data exploitation. With GDPR in place, the EU wanted to increase trust in the digital sphere and hence introduced a clear, uniform legal realm in which businesses must operate.

What constitutes “personal data” under GDPR?

Under the GDPR legislation, Personally Identifiable Information (abbreviated as PII) refers to any information associated with an individual pertaining to his private, public and professional life. 

The types of information in PII included:

  • Basic Identity information such as First and Last names, addresses
  • Web data such as email address, location, IP address, cookie data, and RFID tags
  • Banking Information
  • Political opinions such as one expressed through Social Media Posts
  • Health and generic data 
  • Sexual Orientation 

Breaking down the basics: How to be GDPR Compliant?

For all businesses operating or dealing in the EU, the maiden GDPR legislation has introduced a lot of changes that they must implement.  Right from maintaining strict data protection controls to reporting breaches to customers, businesses need to actively monitor and protect user’s data continually.

Consumer Rights in GDPR and what they mean for businesses

Here we are distilling GDPR compliance down to basics, so you can make sure you are in line with it.

Obtaining Consent

Businesses should clearly mention their terms and operations. This simply means you cannot stuff them up in the complex language designated to confuse your users. Consent should be easily given and freely withdrawn at any time.

Timely Breach Notification

In case a data breach occurs within your organization, you have to report it to both the customers as well as data controllers within 72 hours. Any failure to reporting breaches within this timeframe will incur fines.

Right to data access

In case users request their existing data profile, businesses should be able to furnish a fully detailed and free electronic copy of the data they have collected about them. This report must also include the various ways you’re using their information.

Right to be forgotten

Also referred to as Right to data deletion, once the original purpose of customer data has been realized, the customers have the right to request that you totally erase their personal data.

Data Portability

This right empowers users an absolute right to their own data. They must be able to obtain their data from an organization and reuse that same data in different environments outside of the organization.

Privacy by design

Under privacy by design, GDPR makes it compulsory for companies to design their systems with the proper security protocols in place from the start. Any kind of failure in designing your systems of data collection the right way will incur a fine.

Potential data protection officers

In certain cases, companies are required to appoint a data protection officer (DPO). Whether or not one needs an officer depends upon the size of the company and at what level it currently processes and collect data.

When should a company appoint a Data Protection Officer?

The GDPR directive clearly specifies that an organization should appoint a Data Protection Officer (DPO) if it carries out operations pertaining to special categories of data or is involved in large scale monitoring of citizens such as behavior tracking or is a public authority.

In the case of a public authority, a single DPO can be appointed for a group of organizations.  While appointing a DPO is necessary, it is also vital for companies to ensure they have adequate skills and staff necessary to stay compliant with the GDPR legislation.

GDPR has brought about a new level of transparency into data collection, storage, and usage. In case your company is secretive about its data, this is high time to make a dramatic turnaround in line with the points mentioned above. 

What comprises GDPR-compliant breach notification?

In the event of a data loss, whether a result of cyber-attack, theft or human error or anything else companies are subjected to deliver an official breach notification. It should specify information related to the number of individuals compromised along with the categories and approximate numbers of personal data records concerned.

In addition to providing the potential consequences of a data breach such as theft, identity fraud, companies are also obliged to describe measures being taken to deal with the data breach to counter any negative impacts which might be faced by individuals.

What are the consequences of GDPR non-compliance?

For your company’s account: Breaching GDPR comprises four levels of sanctions: a warning, a reprimand, the suspension of data processing and a fine.

The fines are distributed at two levels: 

Level 1: A payment of €10 million or 2% of an annual global turnover-whichever figure is greater.

Level 2: A payment of €20 million or 4% of annual global turnover-again whichever figure is greater.

The higher level of fines are reserved for cases where data infringement occurs, consumer request for data access is overlooked, procedures handling data are not being followed or an unauthorized transfer of data occurs.

While the lower level of fines is also applicable to data misuse but on a minor level. Examples can be a failure on the part of reporting a data breach, failing in implementing proper data protection protocols

For the credibility of your business: GDPR is no joke, and any failure meeting it can directly put the viability and future of your company at serious stake. GDPR puts businesses under an obligation to officially notify of the possible leaks of user’s private data. If an organization breaches this notification, its image will get associated with this infringement, both in public opinion and within the industry.  Don’t be surprised if you are given a straight no next time you happen to secure an agreement for your company.

GDPR is already here, now what?

In preparation of GDPR, many companies have updated and redistributed their business policies. And often think of what should be their next steps to stay compliant.  We will break down the steps for you:

Manage your Data through Audits

The prerequisite to reviewing your current data protection policy is to perform a data audit. This includes checking all the current personal data and information that you have in the database asking yourself some simple questions:

  • How did you collect the data? 
  • Was consent sought before collecting that data? 
  • Has the data been used or sent to any 3rd parties?

Answering these questions will help you identify weak spots in your existing data policy thereby creating a scope to re-work on them accordingly. By getting an overview of the current data you hold and how you use it, you’ll be able to see which areas need improvement to become GDPR compliant.

Get Rid of Unnecessary Data

Once you are up with reviewing your current data on file and protection policies, move forward with a data clean-up. 

This simply means looking through all the data you currently possess and deciding what you need to keep and what to delete. There can be scenarios where you’ve collected data in the past but haven’t used it. Hence, deleting unnecessary or redundant data is a great way to clean up your systems that help to mitigate the risk of any data breaches.

The GDPR legislation states that user and event data must be retained according to more strict settings; when set properly, your systems will automatically delete user and event data that is older than the retention period you select. 

Adopting a retention control policy is a great way to avoid data hoarding, and at the same time provides a robust way to demonstrate to auditors. Hence make sure you:

  • Understand what data you are collecting and also classify it. Comprehend what comprises personal data and whatnot.
  • Adopt measures to understand where data is held, how it is kept and how & when to delete it.
  • Back up your data or anonymize and encrypt it.
  • Be open and completely transparent about your internal processes. Do not forget your influencers, customers and other stakeholders will trust you as long as you prove to be trustworthy.

Summary and Final Thoughts

It is not wrong to say that GDPR is indeed a huge transition in how business approach customer data. While the deadline has already passed, the real work is actually in the months and years that come ahead. Especially when the dust over the first breach is beginning to settle, this is a good time to reflect on the changes that GDPR can bring. 

Companies should now begin focusing on the ultimate goal to build trust and be the kind of organizations where customers offer up insights and data freely. Encompassing the quintessential mantra “security is everyone’s responsibility”, it’s high time for businesses to holistically work towards meeting the expectations set for meeting GDPR.

 To put it as the final verdict: GDPR is an aggressive swing in the face of data abuse. Nonetheless, it should also be viewed as a positive force that has come to safeguard consumer data rights in our increasingly accessible world. And just as it protects the consumer, it also protects organizations from surpassing their boundaries.