GDPR: Do you know what you need to do by May 2018?
With less than a year until the GDPR enters into effect, European companies still find it quite challenging to understand and comply with its requirements.
The main purpose of the regulation is to facilitate the flow of personal data across the member states and protect this data, thus, ensuring that rights of the individuals are met. Central to changes on data regulation are trust and consent, with European citizens being able to deny or withdraw their consent for a certain entity to use their personal data.
The regulation highlights the importance of clarity and dynamic consent. This means that organizations are required to be transparent on how they manage, store and share personal data. Individuals, including customers, employees or business partners, will be able to give companies explicit permission to use their data for a specific purpose.
If any third-parties need to gain access to personal information, they will have to receive consent and the exact third-party should also be clearly named. Consent mechanisms are required to be obvious, concise and easy to understand for each individual type of data and collection method. Should anything related to the original consent change, such as the purpose of processing the data or collecting method, a new consent will be necessary for the new purpose.
An overview of any consent is also mandatory. Companies should know who, when and what have individuals consented to and these records should be stored separated from any other documents that company might keep.
In addition, according to the regulation, it is now mandatory that organizations notify their customers/employees or users and authorities in case of a data breach. Moreover, organizations must share any information that might indicate the cause of the breach, how it was detected, how long it took to notice the breach and what measures have been taken to limit the damage.
What constitutes personal data?
OK, so companies that process personal data need to receive an explicit consent that they’re allowed to do that. But what kind of details qualify as personal data?
The definition of personal data is, indeed, formulated quite generally in the GDPR regulation, however, this should not be that difficult to figure it out. Any data that may be used to identify a certain individual or his location is personal data and falls under the competence of GDPR. Online identifiers, such as IP addresses, are also considered personal data, as well as genetic, biometric data and any tracking data gathered by the websites we visit. Basically, whether you own an online shop that processes sensitive customer data or an organization with one or more employees, you need to comply with GDPR.
My company is not in Europe, is GDPR something I need to be concerned about?
Many companies seem to be confused by the applicability of GDPR. The regulation applies to any organization that processes and stores the personal data of individuals residing in the EU. This means that all companies that have employees, customers, users or business partners in one of the 28 members states are obliged to comply with GDPR, regardless of whether or not they themselves reside in those countries.
What rights of the individuals is GDPR protecting?
As mentioned, the regulation is aimed at ensuring that individuals are more aware and more protected when it comes to their rights. GDPR covers 8 individual rights:
- The right to data portability– which enables individuals to retain and reuse their personal data for their own purpose.
- The right to object– under certain circumstances, individuals are entitled to object to their personal data being used. For instance, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest, individuals are allowed to deny consent.
- Rights of automated decision making and profiling– GDPR aims to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
- The right to be informed– organizations must be completely transparent in how they are using personal data.
- The right of access– individuals have the right to know exactly what information is stored and how it is processed.
- The right of rectification– individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure– also known as “the right to be forgotten”, it refers to an individual’s right to have their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing– refers to an individual’s right to block or suppress processing of their personal data.
At the beginning of 2017, a study conducted by IDC revealed that 52% of respondents were quite confused on the impact GDPR might have on their business. Furthermore, a quarter of them had no knowledge whatsoever of GDPR. Of those who did know of its existence, only 20% believed that they were already compliant.
This shows that organizations are not really responsive when it comes to regulatory changes. Most of business owners wait until the last minute to comply or perform the changes required by a certain directive or regulation. Even though the requirements seem confusing or difficult to implement, organizations need to acknowledge that GDPR is aimed at helping them to cope with the future global changes. Soon enough, identity will become a commodity and it will all be about data protection.