With less than a year until the GDPR enters into effect, European companies still find it quite challenging to understand and comply with its requirements.
The main purpose of the regulation is to facilitate the flow of personal data across the member states and protect this data, thus, ensuring that rights of the individuals are met. Central to changes on data regulation are trust and consent, with European citizens being able to deny or withdraw their consent for a certain entity to use their personal data.
The regulation highlights the importance of clarity and dynamic consent. This means that organizations are required to be transparent on how they manage, store and share personal data. Individuals, including customers, employees or business partners, will be able to give companies explicit permission to use their data for a specific purpose.
If any third-parties need to gain access to personal information, they will have to receive consent and the exact third-party should also be clearly named. Consent mechanisms are required to be obvious, concise and easy to understand for each individual type of data and collection method. Should anything related to the original consent change, such as the purpose of processing the data or collecting method, a new consent will be necessary for the new purpose.
An overview of any consent is also mandatory. Companies should know who, when and what have individuals consented to and these records should be stored separated from any other documents that company might keep.
In addition, according to the regulation, it is now mandatory that organizations notify their customers/employees or users and authorities in case of a data breach. Moreover, organizations must share any information that might indicate the cause of the breach, how it was detected, how long it took to notice the breach and what measures have been taken to limit the damage.
OK, so companies that process personal data need to receive an explicit consent that they’re allowed to do that. But what kind of details qualify as personal data?
The definition of personal data is, indeed, formulated quite generally in the GDPR regulation, however, this should not be that difficult to figure it out. Any data that may be used to identify a certain individual or his location is personal data and falls under the competence of GDPR. Online identifiers, such as IP addresses, are also considered personal data, as well as genetic, biometric data and any tracking data gathered by the websites we visit. Basically, whether you own an online shop that processes sensitive customer data or an organization with one or more employees, you need to comply with GDPR.
Many companies seem to be confused by the applicability of GDPR. The regulation applies to any organization that processes and stores the personal data of individuals residing in the EU. This means that all companies that have employees, customers, users or business partners in one of the 28 members states are obliged to comply with GDPR, regardless of whether or not they themselves reside in those countries.
As mentioned, the regulation is aimed at ensuring that individuals are more aware and more protected when it comes to their rights. GDPR covers 8 individual rights:
At the beginning of 2017, a study conducted by IDC revealed that 52% of respondents were quite confused on the impact GDPR might have on their business. Furthermore, a quarter of them had no knowledge whatsoever of GDPR. Of those who did know of its existence, only 20% believed that they were already compliant.
This shows that organizations are not really responsive when it comes to regulatory changes. Most of business owners wait until the last minute to comply or perform the changes required by a certain directive or regulation. Even though the requirements seem confusing or difficult to implement, organizations need to acknowledge that GDPR is aimed at helping them to cope with the future global changes. Soon enough, identity will become a commodity and it will all be about data protection.