As the deadline for GDPR inches closer, companies are scrambling to understand the requirements of the law and put in the right systems and processes in place for the compliance.
GDPR requires that the companies treat user’s digital data such as IP address or cookies in the same manner they treat other information about user such as his social security number or his address.
In the current form GDPR is quite vague and takes a very broad approach to define the specific steps that businesses should take. For example it states that companies should provide ‘reasonable’ amount of protection around customer data, but doesn’t explicitly define what “reasonable” constitutes of.
What is GDPR?
The General Data Protection Regulation (GDPR) was initially built to bring all the EU member states to a single agreed law for regulation and protection of data being acquired by different companies. It ensures that information regarding the clients and customers that is being gathered by various companies and businesses, is shared responsibly.The GDPR has been drafted to replace the previous act regarding customers’ information, the Data Protection Act 1998.
Why has it been drafted?
The GDPR has been drafted to ensure that all the companies and businesses are protecting the confidential data they deal with. After the recent case of Cambridge Analytica scandal, it has been made compulsory to show respect towards customers’ data and not to disclose it either directly or through third party platforms. There have been many cases where the user data from Google, Twitter and Facebook has been used by different organizations for their own purposes without the customers’ consent.
When is it going to come in action?
Current deadline for companies to do 100% complaince with GDPR is 25th of May.
Who does GDPR apply to?
GDPR applies on all the companies, businesses and organizations that deal with the data and information of customers residing in Europe. The fine print of GDPR states that companies which pass criterion such as : a presence in Europe, companies which processes data of European citizens, companies which have more than 250 employees and companies which might have less than 250 employees but whose activities impact the sensitive data of users and does so in an occasional manner.
So this description covers a vast majority of financial services companies, SaaS companies, FMCG companies, online retailers ( ecom) etc. Regardless of the business’s location, the GDPR must be exercised by all these companies.
What type of data does GDPR intend to Protect?
GDPR intends to protect multiple facets of private data of a user including his basic data such as id numbers, name, his address as well as his digital footprint data such as IP address, cookies, location of access etc. Then there are other types of private data that GDPR plans to protect such as health data of the user, his sexual preferences, his ethnic and biometric information.
What are the penalties and fines for non-compliance with GDPR?
It is necessary to show compliance with all the rules and regulations of GDPR. In case of violation of GDPR, heavy fines and penalties are going to be imposed on the business. This penalty would be 20 million Euros or more, and in case of a data breach, the fine would be more severe.
How Consent is important in GDPR?
GDPR has made it compulsory for all the companies, businesses and organizations to first obtain consent from the customers before using their private data for any means. It grants respect to the privacy of users and insists on safeguarding the security of customers.
How Audit can help companies in their efforts to comply with GDPR?
Keeping an audit trail of all the customers’ data they have access to, can assist the companies in protecting themselves from security breaches. Therefore, GDPR highlights that keeping an audit of all the data is compulsory
How GDPR gives special importance to children’s privacy?
GDPR insists on protecting the children’s information by all means. The companies systems should have a way of finding the age of the clients/customers and then keeping the children’s information secure and protected.
What is the right to be forgotten?
GDPR states that the customers or clients have complete freedom regarding their information. If they want to delete their data, they can delete it without any interference from the organization.
What needs to be done in case of a security breach?
In case of a data or security breach, GDPR states that the company must inform all the concerned parties and authorities regarding it so that they can become more wary and alert. GDPR requires that companies report security breaches within 72 hours.
Generate empathy of concerns of user privacy
Build sense of urgency in the top management
Get all the business functions like HR, finance and sales together to build a compliance strategy. It shouldn’t only be restricted to IT teams.
Do an exhaustive risk assessment to understand what all data is your company storing about EU citizens. Also make list of all your IT products and applications and see what data are those internal or third party applications using.
Hire a Data Protection Officer — You don’t need to hire a DPO full time, you can hire one remotely as well or a consultant who has expertise in Data protection.
Do mock drills for incident response