GDPR- Your data, Your say!
By Pankaj Rane - May 18, 2018
Imagine a scenario, you’re going back to your home and office and someone is continuously chasing you and keeping an eye on you constantly. How do you feel about that? Your privacy is no more private. You feel frustrated and angry at the same time. Don’t you?
This is what needed to be addressed and GDPR is the first step to revolutionize it. It is more of an evolution as per the EU information officers than claiming it as a revolution. There are some grass root level changes made in the current data protection law in EU which will help the users to decide the level of privacy they want to have. Who don’t know the Facebook drama which recently took place? Okay, so let’s get a deep dive into the GDPR and other aspects related to it to understand it briefly.
What is GDPR?
GDPR stands for “The General Data Protection Regulation” a privacy law from the European Union that will become enforceable from May 25, 2018.
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
Even though it’s a European Union law, all online entrepreneurs need to be paying attention because the GDPR will mean major changes for the way they operate. The GDPR also regulates the exportation of personal data outside the EU.
Principles of GDPR
1. Data shall be processed “lawfully, fairly, and in a transparent manner."
2. Data shall be “collected for specified, explicit and legitimate purposes.”
3. Data processing shall be “limited to what is necessary” for the purpose.
4. Data shall be accurate, kept up to date, and corrected.
5. Data shall be kept so it identifies a person “no longer than is necessary.”
6. Data shall be “processed in a manner that ensures appropriate security.”
What types of privacy data does the GDPR protect?
Basic identity information such as name, address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Health and genetic data
Racial or ethnic data
Why companies are worried about GDPR?
If there is data breach then the non-compliance could cost companies dearly end up with a fine of up to €20 million (£17 million) or 4 % of worldwide revenue, whichever figure is higher. Companies must be able to show compliance by May 25, 2018.
Who will be responsible for compliance within your company?
The GDPR defines 3 roles that are responsible for ensuring compliance:
The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors meets compliance.
Data processors may be the internal groups who maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors responsible for breaches or non-compliance. It’s possible that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.
Data Protection Officer (DPO)
The GDPR requires the controller and processor to appoint a DPO to supervise data security strategy, regularly monitor data and GDPR compliance.
GDPR effect on third-party and customer contracts
The GDPR places equal accountability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data).
A third-party processor not in compliance means your organization is not in compliance.
The new regulation also has strict rules for reporting breaches that everyone in the chain must be able to follow with. It’s an organization duty to inform customers of their rights under GDPR. You may have observed recently Facebook, LinkedIn and many other organizations notified users about their new privacy policies which was implemented as part of GDPR regulations.
Data controllers must notify data protection authorities of any breach that risks the rights of individuals within 72 hours of their becoming aware of it. In the cases of a high-risk breach, any affected individuals must be informed as soon as possible. When a data processor discovers a breach, it is their responsibility to notify the controller.
It was unfair to users when companies were charging £10 to give the details held for them under Subject Access Request. As GDPR comes into the picture, this policy is going to be scrapped.
So by introducing GDPR, companies need to be more decisive and take extra precautions to handle the users’ personal information. It’s a great step and will be interesting to see how well it is going to be implemented and how effective the output comes out of it.
The GDPR Compliance Checklist
Achieving GDPR Compliance shouldn't feel like a struggle. This is a basic checklist you can refer to https://gdprchecklist.io/ use to harden your GDPR compliancy.