Things to know about GDPR in 2018

Following the boom of the internet in early 90’s, in 1995, Directive 95/46/EC is adopted by the EU with regards to protection of individual’s data on free movement basis.

Unlike the US, EU views privacy as a fundamental human right. Americans seem willing to give control of their personal data, as long as the data is protected and used responsibly.

EU has a strict policy regarding the movement of its customer’s data from EU to other location until there has been a privacy agreement between the two parties.

Source

With the growth of e-commerce market and seeing that data transfer has become a common scenario nowadays, safe harbor agreement was reached between US and EU in 2000 which promised to protect EU citizens data.

In 2013, Edward Snowden reveals that certain U.S. intelligence services are tapping into internet company’s servers and accessing personal data.

On October 6, 2015, after finding out the data leaks, EU court invalidated the Safe Harbor Agreement declaring that it has violated fundamental rights to privacy of EU laws.

Most of the European companies are working unlikely to their US counterparts where the company needs to inform whenever breach has been made.

Now, as Europe contributes 25% of world’s GDP, today there are the heck lot of information with the companies which had been breached in the past or kept in the unsecured form and we don’t have any information.

With the demise of Safe Harbor and the increased flow of data information, the European Parliament adopted GDPR in April 2016 which finally would be effective from 25 May 2018.

What is GDPR?

GDPR or General Data Protection Regulation is more like fundamental rights of the citizen living in EU that specify how customers data can be used and protected. The primary objective is to give citizens back control of their personal data.

Business Implications

The rules are strict and heavy penalties can be levied for those who don’t comply with GDPR, the organization could be fined up to 4% of global turnover or €20 million or whichever is greater.

Whom does GDPR apply to?

Personal Data :

• Online identifiers
• Device identifiers
• Cookie IDs
• IP addresses
• Pseudonymised data
• Sensitive data — genetic and biometric data

Getting Ready

To prepare for the new EU GDPR, organisations will need to answer the following question:

• What personal data they process?
• Where it is across their organisation?
• Where it is transferred from and to?
• How secured is the data during the whole transition?

As an organization, what you need to do?

You certainly need to change the way you use and store data in organization. Here we have tried to curate few steps that you can put into practice to be compliant with GDPR.

Store data in an organized manner

Data should be stored in such a way that you are answerable to the person on what data you have stored for them and also if GDPR does any investigation, you can say you are taking proper steps to control the data.

You’ll need to organise any data you’ve collected from customers and suppliers, as well as any past and present employees.

Encrypt your data

If you have stored in digital format, you need to ask few question:

• what devices is it on?
• Do I have an antivirus software?
• Can I remotely erase the contents if the device is lost?
• Are hard copies locked away securely?
• Who has access to the data in the organisation?

Don’t hold onto data unnecessarily

You should be aware of the data that you are taking from the customer and know how you would be processing that.

Just keeping that data so that it would be helpful in future would be against the compliance, so better delete those data.

Clear and simple privacy policy

The key is to rewrite the privacy policy in clear and layman’s language avoiding technical and account jargon. You should include the following in your policy

• What information is being collected?
• Who is collecting it?
• How is it being collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the individual concerned?

The Rights to Access

If someone asks you what data you have on them, it must be given to him within 1 month time and that too free of charge. This is why storage of data is must in an organized way so that you can easily get that.

The Rights to Rectification

If the data owner has made request for the rectification of inaccurate data related to him or her for further processing, you should have the process to make changes without undue delay.

The Right to Data Portability

If the data owner has made request to obtain their data to pass on to other controller or processor, you are legally obliged to provide the data in machine readable format and you will not have any authority to hinder the data while transferring.

The Right to Erasure

If someone asks you to delete their data, you are legally obliged to do that. You need to have a process to delete the data and make sure that it’s no longer available in your records.

The right to be informed

Previously, any marketing material comes with automated checkboxes that allow organizations to store data of its customers but now you need to have customers positively opt into your storage of their data for marketing purposes.

The Rights to be notified

If your organization has recognised any data breach, it must be notified to the Data Protection Officer and the data owner about the data being breached within 72 hours.

Have an easy way to unsubscribe

If someone has requested to unsubscribe from your marketing material, provide them with an easy way of instruction on mail, texts etc so that they can do that and you are obliged to unsubscribe them from the list.

GDPR as a marketing factor

• European customers will trust you if you are GDPR compliant.
• Make GDPR as part of your terms and condition or show at footer of emails.

Things to know about GDPR in 2018 was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.