You might have heard about GDPR (General Data Protection Regulation) as of now; and if you haven’t, we are here to help you understand exactly what it is. This piece of legislation has a far-reaching impact even on some of the largest organizations in the world; hence, it’s important for everyone to know what it really entails.
What does GDPR entail?
GDPR is a piece of legislation which was enacted in April 2016. European Union (EU) gave organizations two years to abide by it; meaning, the legislation is coming into effect on May 25, 2018. From this date, any organization established within the European Union, which stores, holds, or uses personal data must comply with the new rules.
Besides that, companies located outside the EU jurisdiction will also be affected as long as they offer services or goods to people residing in the EU bloc. For instance, a US-based call center in charge of customer services for firms that sell their services in Europe falls into this category.
The GDPR regulation is probably the most significant shakeup in data protection that has ever happened in recent years. Most notably, the cost of complying is huge. Apparently, the EY and the International Association of Privacy Professionals projected that Fortune Global 500 firms would spend about $7.8 billion to get ready for the new legislation.
The GDPR legislation is meant to replace national data protection regulations across Europe, including the time-barred Data Protection Act 1998 (DPA).
The most important thing about this legislation is that it is meant to protect the privacy of personal information, including contact details.
Under GDPR “personal information” entails any info that is linked to an identifiable, living individual.
Basically, it includes information such as an individual’s name, location, IP location and contact details. This also includes less obvious details such as factors specific to the genetic, mental, psychological, physical, cultural, economic or social identity of a person.
Think of this legislation as a way to protect peoples’ personal information, which is being held and used by various organizations.
What are the key policies in this regulation?
1. Opt-in and valid Consent
A key focus of GDPR regulation is on conditions of consent. Now, it will require explicit opt-in for processing personal information and data. Most notably, consent to use personal information must be specific, unambiguous, and informed.
Probably, the regulation could successfully put a stop to long drawn out user agreements, which consumers hardly ever read. Any discussion relating to data use should be short and graspable. Thanks to GDPR, organizations will no longer be able to use confusing or unclear statements with the intention of getting your data.
2. Right to access
You will have the right to access your personal information or data being stored by organizations and most significantly, get to know how and for what purpose it is being held, or used. More so, organizations must provide this data or information in an electronic format, at no cost.
3. Right to be forgotten
Through this regulation, you will also have the right to be forgotten. Meaning, you have the right to ask any organization controlling your data to wipe it out and even stop third parties from using it. In relation to that, individuals will have the right to demand their data to be transferred from one data controller or organization to another.
4. Mandatory breach notification
The GDPR regulation requires companies to report data breaches to Data Protection Commissioner immediately and notify the people whose data was compromised, within 72 hours. The commissioner or the relevant authority will try to examine the compromised data and the preventative measures in place at the time of the breach. This aims to evaluate the repercussions of the breach and ensure future compliance.
5. Specific protection for children
Since children are normally more exposed and less aware of tech-related risks, GDPR laws aim to shield them. For kids under the age of 16, the person assuming the “parental responsibility” should be the one to act or consent on behalf of the kids.
A brief summary of other key changes
The following are other significant changes, which will be implemented once GDPR comes into effect.
- There will be only one national office for complaints.
- Consent will require clear assenting action, and people can rescind their consent to data usage any time they wish.
- Organizations will have only 72 hours to inform relevant regulatory authorities of any data breaches which may be a threat to data subjects.
- Large data controllers are supposed to appoint a data protection officer.
- Organizations will be required to erase data which is not being utilized for its original purpose.
- The minimum age for people whose data can be obtained will rise to 16 from 13.
Are there any penalties for breaking the rules? Yes and obviously, huge ones. A company in breach of GDPR requirements will be penalized up to 20 million Euros ($24.6 million) or 4% of annual global turnover, whichever amount is higher.
Lesser breaches, such as not notifying the data subjects or supervisory authority about a breach or not keeping records in order, could lead to a fine of 2% global revenue.
What effect will this rule have on organizations?
Large organizations have had two full years to prepare themselves for these changes. The big tech companies who have massive user bases and cater to huge amounts of data have already disclosed what they are doing about the issue.
For instance, a few weeks ago, Facebook released some new privacy measures which will help it, be in compliance. WhatsApp has revised its minimum user age in Europe from 13 to 16. Other notable technology companies like Twitter and Google have also amended their privacy settings, in preparation for the new rules.
How to prepare for GDPR?
First, your organization should create or use tools that guarantee maximum privacy. Work with your IT department or data protection officer to identify the secure solution that works perfectly for you.
Lastly, partner only with third-party providers who are fully GDPR compliant. This includes your marketing services, email service provider, e-signature solution providers, CRM service, etc. As you might be aware, you can now be held accountable for breaches made by your partners. Thus, ensure that all your data processing aspects are in compliance.
If you have any questions or would want to discuss how we can assist your company to become GDPR compliant, feel free to contact us.