The General Data Protection Regulation (GDPR) came into effect on May 25,2018. The overall objective of the regulation was to provide EU citizens with greater control over how their personal information is managed, stored and used. Importantly, European lawmakers have taken steps to restrict the ability of businesses to sell their consumer data. The General Data Protection Regulation applies to all companies conducting online business transactions with EU residents.
Is Your Business Affected?
The new regulation aims to compliment every existing data protection law across the EU. All businesses based in the European Union that provide services or sell consumer goods to EU residents, as well as businesses that have offices in the EU and collect or process personal data, must be GDPR compliant.
Personal Data simply means “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
What are the basic requirements of compliance?
- Businesses must obtain consent.
- You must have clearly defined terms and conditions that are not only easy to read and understand but are also free from wordy legal jargon.
- Individuals must be free to withdraw consent at any time – and without conflict.
- Consent for underaged individuals must be provided and verified by a parent or legal guardian.
- Notifications of security breaches must be delivered without ‘undue delay.’
- All individuals affected by a data breach must be notified of the breach as soon as it is noticed, and data protection authorities must be notified within 72-hours.
- Individuals have the right to know how their personal data is being used.
- Customers should be able to easily learn what personal data is being used, and for what purpose.
- If confirmation of data use is requested, it should be provided at no additional charge to the individual.
- Individuals have the right to be forgotten.
- All individuals have the right to request that their personal data be erased by the data controller.
- Some businesses might be required to appoint Data Protection Officers.
- Public authorities and businesses that conduct large scale consumer monitoring or process sensitive personal data must select a Data Protection officer.
How can you ensure GDPR compliance?
The first steps to ensuring full compliance are:
- Conduct a full-scale audit of personal data – determine what data is being collected.
- Conduct a routine gap analysis: Using findings from the audit, determine which areas might require changes.
- Develop a governance structure to outline and manage compliance.
Next, address compliance issues at the customer level.
- Adhere to the requirements for GDPR compliance.
- Make it a practice to only collect the data that is absolutely necessary – if there is a chance that the data collected will not be use, don’t ask for it.
- Determine whether or not your company collects any sensitive personal data. If it does, use policies and processes to obtain explicit consent.
- Update all automated processes and update all privacy documents and notifications.
What happens if you are not compliant?
While businesses are still getting used to new regulations, warnings are handed out for first time infractions and unintentional non-compliance issues. However, if your business is found to willfully be in violation of the GDPR, you can face hefty financial penalties. More specifically, non-compliant organizations can be fined the greater of 4% global turnover of €20MIL.
Be prepared for regular, intermittent data protection audits.