The General Data Protection Regulation (GDPR) legislation, taking effect on May 25, 2018, impacts personal data processing and marketing for all EU citizens, and non-compliance comes at a stiff price. In other words, you have got no choice than to gear up towards GDPR. What’s this new regulation all about? Well, in a data economy, protection of data ranks as a high priority for any business handling personal data. And the upcoming legislature is focused strictly on data management and security, which is another way of saying it’ll impact your company’s current protocols for handling sensitive and personal information.
The General Data Protection Regulation (GDPR) targets EU citizens and their vulnerability to data leaks and cyber crimes, and it applies to all organizations that do business with or market goods to EU citizens. Yes, even if your organization’s headquarters isn’t in the EU. The legislature, most realistically an after-effect of data breaches around the world, aims to give average consumers greater protection over their personal information and how it is utilized in their daily lives.
Pay attention, CMOs, this will change the way you process and transfer data once it is collected from the consumers. Are you using qualified data personnel? Is your infrastructure up-to-date? Are you following statutory compliances? Because soon, officials will examine your data, the way you collected it, and how companies use customers’ personal information. Non-compliance with the GDPR has severe consequences that can cripple any organization, big or small, that hinges its success upon the quality of data it collects from its users.
With fines stretching up to €20 million or 4% of annual global turnover (whichever is higher), the GDPR heavily influences the restructuring of modern organizations to be more cautious and preemptive in their handling of sensitive data. Before we start discussing GDPR, let’s clarify a few fundamental entities and subjects involved in this legislation, as the definitions will help us understand the law better.
What exactly is personal data?
As per the GDPR, any piece of information (including name, ID, location, email, etc.) that can be associated with a natural person or data subject is considered personal data. In simpler words, anything that identifies a physical, psychological, genetic, mental, economic, cultural, or social identity is personal data. Your unique tattoo? Perhaps, not.
What is a data subject?
Any entity that can be identified as a person is a data subject. Here’s a simple test: If it can be identified by a data object, such as email, username or digital alias, it is probably a data subject.
Other two key players in the GDPR that warrant attention are processors and controllers. The controller determines the purpose of collecting personal data and how that data should be handled and processed. The processor handles how the data is…processed. To put that into perspective, the controller ensures the processor abides by data protection law.
Let’s talk about the primary aspects GDPR covers and your action plan.
The GDPR applies mainly to businesses established in the EU, but also to companies based outside the EU that offer goods and services to EU residents. To safeguard your business, especially if you’re based outside the EU, consider appointing an EU representative who can ensure your data efforts are compliant with the new regulations.
Under the GDPR, you must be able to show that you are following their guidelines. This means, if you’re engaged in high-risk data processing, you need to assess the impact your process has on privacy. This may require you to consult your regulator, ultimately impacting the timing of your initiatives. One proactive solution is to maintain a record of all of your processes. Adapt your product development strategy to include a privacy impact assessment.
It’s better to have explicit permission when processing sensitive customer data or transferring their personal information outside the EU. Individuals have the right to withdraw their consent at any time, and this can be a challenge for your business that thrives on valid consent. Review your existing processes to determine if they are valid under the GDPR. If you can, try an alternative form of processing that does not rely on consent.
Data subjects rights
GDPR offers new rights for individuals, including the right to be forgotten or omitted from your mailing lists, and the right to data portability. However, it’s still “potential” in nature. The new rights are complicated, and it is not clear how they will operate in practice. Consider whether individuals are likely to exercise their new rights against you and what they mean for your business in practice. Based on that analysis, set up processes to capture, record and act on those requests.
Data security and data protection personnel
Want to boost accountability in your data security efforts? Make it someone else’s job. A data protection officer reporting to the executive team should be involved in all data protection issues. It will be the “job” of data protection personnel to enforce enhanced security measures such as encryption, data integrity, and other active safety tools and arrangements. Determine if you need to appoint a full-time data protection officer or one on a voluntary basis. Consider if you want to appoint a single data protection officer for the whole of your business, or you want to build an all-around team of experts. Consider setting up a central breach management unit to collate, review and notify breaches, where appropriate.
GDPR may be ONE of the many regulations still to come into effect this year or afterwards, as data privacy and portability begin to get more definition in the industry. As a business that handles sensitive data, useful in identifying people, the GDPR becomes your strongest ally in determining the right kinds of steps and resources you need. Stay informed and prepared for the latest changes in data security and privacy by making GDPR compliance a top-priority.