The dynamics of doing business are set to change greatly with the launch of the European Union’s General Data Protection Regulation (GDPR) in May 2018.
The complex regulation is set to unsettle the data landscape subsequently affecting all areas of business operations for many entities including marketing, sales, cybersecurity and human resource. As the date for the launch approaches, most businesses are giving precedence to compliance with the law so that they can continue doing business with ease.
The law is built around two major principles, which seek to:
- Give EU citizens absolute rights and more control over their personal information.
- Set stringent regulations on how companies collect, process, share and store client personal data.
What is the importance of GDPR?
The new law was introduced to synchronize the already existing data protection laws with advancements in technology. From purchasing goods to paying bills to banking, there is a lot that one can do by entering their personal details online. With an increase in cyber-crime involving the theft of data and identity of Internet users, there has been a growing concern among EU citizen on the control they have over their data. The law is there to protect the devastating consequences that come with identity theft
Who has to comply?
The GDPR applies to all entities and individuals doing business with citizens of the EU’s 28 member states regardless of whether the company operates in the EU or not. Any organization that controls personal data either by collecting, processing, sharing or storing it will have to comply. It encompasses those offering goods and services to the subjects in the Union as well as those monitoring their behavior within the member states.
What is personal data?
According to the regulation, personal data is any information that can be used to directly or indirectly identify someone including a name, phone number, address, identification number and email address. It also includes data provided under a false name commonly referred to as “pseudonymization”.
There are special categories of data which have been accorded more restrictions. Under the law, processing of data that leads to the revelation of a person’s religious beliefs, ethnic or racial origin, trade union membership, political opinion, health, genetics, biometrics or sexual orientation is prohibited.
Permanently encrypted data where the owner cannot be identified is exempted. Any data stored in a filing system is subject to the regulation, regardless of whether it is partly or wholly processed through automated means or whether it is recorded by hand, failing which severe penalties will be meted.
Benefits to citizens.
GDPR gives EU citizens greater control over the use of their personal data. A company must inform a person why they are collecting personal information and how they intend to use it. Consent must be clearly given and not implied or ambiguous otherwise collection, processing, and storage of data will be illegal.
Privacy notices to customers are a common practice but under the new law, businesses must say goodbye to the current long tiring ones that no one bothers to read. GDPR dictates that a privacy notice must be clear, precise and easy to read and understand for all classes of EU citizens.
The period for which a company stores a citizen’s data must be clearly indicated and the person has a right to access and rectify any information provided during this period. Citizens hold the right to be informed beforehand if you intend to use data for purposes other than what it was originally collected for and have to consent. Similarly, they must be informed if you intend to share their data with a third party.
Since individuals own their data, consent can be withdrawn any time and a company has to stop using, sharing or storing the information with immediate effect. Furthermore, they have a right to erasure of the information from your database or a right to be forgotten which must also be implemented immediately it is requested. If the data had been shared, the third party must also delete the information.
To avoid any data breaches, you must put security measures in place. The company must develop and put into operation safeguards throughout its framework. Employees must be trained on what constitutes a breach and how to pick up red flags.
In case a breach does occur, it is necessary to take quick action and notify data owners and authorities. Under the law, failure to do so within 72 hours will attract a hefty fine. Do not forget any third parties you have shared your data with. It is important to ensure they have the right security measures in place since their noncompliance is an extended liability to you in case of a breach.
Are you prepared?
Without a doubt, this long and complex overhaul of data laws with complicated requirements will require resources, effort and time to implement. However, it will add value to your business and put you at an advantage. Customers value privacy and proving to them that you care about protecting their rights is a unique selling point. It will grow their trust and increase their loyalty translating to more business.
All these provisions in the law could pose serious problems for those who have not familiarized themselves with the law, therefore, businesses will have to be meticulous when dealing with data. To ensure compliance, companies must employ a data controller or protection officer who will clearly and comprehensively process and store data such that it is easy to know where information on a client is located, what it is being used for and who it has been shared with.
A breach or failure to comply will attract a fine of 4 percent of the company’s global annual turnover or up to €20 million whichever is greater. Such a fine is a huge burden even for a big company; therefore, if you have not taken the necessary measures it is time to do so before May 25th.
*Story written by Reciprocity Labs