There is huge talk about GDPR and therefore you wouldn’t be the only one wanting to find out what it is and what it means to your business.Read my need-to-know summary below-
What is GDPR?
The General Data Protection Regulation (GDPR) demands all companies to adhere to strict processes and procedures while collecting and storing personal data of European Union (EU) citizens. It aims to strengthen data protection efforts for all residents of the EU, and also ease the regulatory environment for international trade by offering a uniform regulation throughout the EU. GDPR comes amid a backdrop of an increasing demand for data privacy and a global climate of fear over possible data vulnerabilities.
This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
How do Businesses benefit from GDPR?
-Build stronger customer relationships and trust.
-Improve the brand image of the organization and its brand reputation.
-Improve the governance and responsibility of data.
-Enhance the security and commitment to the privacy of the brand.
-Create value-added competitive advantages.
When is the deadline to become GDPR compliant?
This new law will come into force on May 25th 2018 and will replace the archaic Data Protection Directive.
Who does the GDPR affect?
The GDPR applies to all organisations located within the EU, whether you are a commercial business, charity or public authority, institution and collect, store or process EU citizen data. It also applies to any organisation located outside of the EU if they also collect store or process EU citizen data.
The idea is that this personal data should be stored with the explicit consent of the user and should only be used for the purpose specified while obtaining data. Both data processors, as well as data controllers, are liable under GDPR. All companies within the EU are subject to this regulation, regardless of where the data is stored and processed. The jurisdiction of GDPR also covers businesses outside the EU which offer goods and services to EU residents.
What is considered personal data?
The GDPR defines personal data as any information or type of data that can directly or indirectly identify a natural person’s identity. This can include information such as Name, Address, Email, Photos, System Data, IP addresses, Location data, Phone numbers, and Cookies.
For other special categories of personal data, there are more strict regulations for categories such as Race, Religion, Political Views, Sexual Orientation, Health Information, Biometric and Genetic data.
What are the key provisions of GDPR?
Privacy by design and default – GDPR needs organisations to include privacy in their processes and systems by design. This means that all the company software and systems should adhere to the key tenets of GDPR. For instance, the software should be able to completely erase personal data if required by the data subjects.
Right to be forgotten – Organisations cannot hold any data without prior approvals and need to have strict mechanisms in place to delete data if requested by users. As a side note search for Spanish resident Mario Costeja González V Google.
Right to Data Portability – GDPR allows data subjects to obtain and transfer personal data, from one data controller to another, in a safe and secure fashion. This provision allows individuals to leverage their personal data for their own benefit.
Explicit opt-in consent – GDPR strengthens the case for explicit opt-in consent from customers before using their personal data. Control over one’s personal data, a simmering issue in the US, is a big aspect of GDPR. Under the regulation, the data subject is completely in control of their own data. Organisations also need to make sure that they communicate clearly while asking for personal data and also clarify about its intended usage.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements.
Is your website GDPR compliant, as a GDPR certified consultant I can analyse your site and provide a report. Contact me now using the form below.