Effective as of May 25, 2018, the General Data Protection Regulation (or GDPR) has been a hot topic in the business world. Businesses and organizations that fail to adhere to the new legislation originating out of the EU can face fines of up to 20 million euros or 4 percent of annual turnover (whichever is higher).
Two of the main objectives of the legislation are:
- to give citizens and users control back of their personal data
- to simplify the regulatory environment for international business by unifying regulation within the EU
In this blog post, we look at GDPR, explore what it might mean for your business, and steps you can to take to ensure that you adhere to the new legislation.
At the heart of GDPR is personal data. According to the GDPR directive, personal data is defined as any information that is related to an identifiable person. This can include information such as:
- Email address
- Bank details
- Location details
- Medical information
- Computer IP addresses
These are just some examples of what may constitute personal data. Other examples of datasets you may be holding on individuals could be genetic data, sick leave, employment, salary and tax information and so on.
If you’re uncertain if the information you store is personal data or not, it’s best to err on the side of caution and only store the data you need for the duration that you need it to undertake your processing activities. Additionally, any personal data you store should also be encrypted or at the least, pseudo-anonymized.
Data Processors and Controllers
The GDPR applies to the Data Controllers and Data Processors. A Data Controller determines the purposes and means of processing personal data. A Data Processor is responsible for processing personal data on behalf of the Data Controller.
If you are the Processor, the GDPR places specific legislation on you. For example, you need to maintain records of personal data and processing activities, you also have a legal liability if any data you store is lost through a security breach.
If you are a Controller, you also have legal obligations where a Processor is involved in that you need to ensure your contracts with Processors comply with the GDPR.
You can find out more information regarding Controllers and Processors here.
Individuals Rights, Data and Consent
Under the GDRP, individuals have rights that include, but are not limited to:
- The right to request access to their personal data and to ask how that data is being used
- The right to be forgotten and to withdraw their consent from companies that stored their data
- The right to data portability; for example, requesting their data is moved from one service provider to another
- The right to get the information corrected where it is found to be inaccurate or incomplete
- The right to object to the processing of data for direct marketing.
- The right to be notified in the event of a data breach that results in the compromise of their personal data
These are just some of the rights that individuals now have under the GDPR. Given the recent Facebook / Cambridge Analytica story, you can probably understand why giving digital citizens more control over their data has become a hot topic.
How does this affect US companies?
The legislation is targeted to businesses operating in the EU. However, if your business is based out of the US, you still need to adhere to the legislation.
For example, you might not ship products to the EU or have a physical presence there but if you have a website (and chances are you do) that collects user information and stores it, then you have to ensure that you’re taking the required steps outlined in the legislation.
Maybe you gather user information for marketing purposes or send out newsletters, or maybe you deliver a SaaS solution over the internet. If you’re dealing with any form of personal information the GDPR now must be factored into your daily practices.
Preparing for GDPR
Now that we’ve outlined what personal data is, the rights that digital citizens now have because of the GDPR, it’s time to look at some steps you can take to ensure that you’re on the path to compliance with this new legislation. What follows is by no means an exhaustive list and if in doubt, we recommend speaking to a legal advisor.
Get a handle on your data
One of the first things you can do is undertake an audit of the types of personal data that you process in your business, where it’s coming from, where it gets used and how you use it in your daily processes.
Identifying where you rely on user consent
Another important aspect of the GDPR is user consent. With this is in mind, you need to be able to determine if you’re relying on user consent. If you are reliant on user consent, you need to be clear and specific about it. Given that the GDPR mandates that businesses need the user’s explicit permission. One way to reduce the overhead the regulation brings is to avoid storing data unless you absolutely need it.
Examine existing security policies (60)
You’ll need to update your existing security policies to ensure they adhere to the GDPR. If you don’t have any policies or strategies in place, now is the time to correct this. Adopting encryption across the board to all personal data is a good place to start. This could save you embarrassment and potentially fines as the result of a security breach.
Prepare to meet access request SLAs
Under the GDPR, digital citizens have the right to access all of their personal data. Each request carries a timeframe and a deadline of one month from the original date of the request. Build procedures or processes around this timeframe to ensure that you can observe this timescale.
Finally, ensure your employees understand what constitutes a personal data breach and implement processes to help identify potential issues before they occur. It’s also important that your employees know what the escalation process is in the event of a data breach and who is responsible for data protection compliance.
In this blog post, we’ve discussed the GDPR, the new rights users have and how the legislation will affect your business. Given the choice, users will prefer to deal with companies that care about their data and who take their privacy seriously which could make the new legislation an opportunity for your business to capture new customers.
Here at Growth Acceleration Partners, we have extensive expertise in many verticals. Our nearshore business model can keep costs down while maintaining the same level of quality and professionalism you’d experience from a domestic team.
Our Centers for Engineering Excellence in Latin America focus on combining business acumen with development expertise to help your business. We can provide your organization with resources in the following areas:
- Software development for cloud and mobile applications
- Data analytics and data science
- Information systems
- Machine learning and artificial intelligence
- Predictive modeling
- QA and QA Automation