General Data Protection Regulation (GDPR) is a series of articles set to replace the current Data Protection Directive, 95/46/EC, that was established by the EU. This major change came into fruition on May 25, 2018. This is happening because governing bodies have decided to step up security measures due to growing cyber threats and crime, e.g. the proliferation of IoT devices. In addition, the increased reliance on web-based services that regularly involve personal user information has shown how fast innovation outgrew the EU’s original protections. So, what do businesses and organizations need to do? Let’s take a look at the rules first:
The European Union aims to increase transparency about how data is being used and enhance personal privacy. That’s why the GDPR was established to create consistent and thorough data privacy laws across Europe. With that, personal data under GDPR will be expanded to include: computer IP addresses, biometrics, medical info, social networking site posts, bank details, email accounts, photos, and names. This means that the process of obtaining and using this personal information will be heavily regulated. Here’s how:
- According to Article 23, controllers need to achieve data minimization. They should only process and hold data that’s absolutely necessary for the completion of its duties.
- The “Right to be Forgotten” section states that users have the right to withdraw their information, if they decide to revoke consent. Data processors and collectors must comply with this request.
- Users always have the right to know what their data is used for and how it is being used.
- User consent forms must be written in an accessible and clear manner (no lengthy forms!). Clear options must be provided to allow users to withdraw consent.
To protect personal information, GDPR will be imposing stricter regulations on businesses that control or process user data. Part of the process will involve leveraging the expertise of data protection officers (DPOs). It is mandatory to appoint DPOs within business operations that involve large-scale processing or monitoring of sensitive personal data at an international, national, or regional level.
In the event of non-compliance, EU-based businesses can face heavy fines. Current estimations show that penalties and fines may total six billion in the first year GDPR is implemented. With that, the fines are divided into two levels, i.e. Level 1 fines and Level 2 fines. For example, if a company fails to keep proper data records (level 1 fine), they will need to pay a $12 million fine or 2% Worldwide Annual Revenue, whichever is higher.
How to Prepare for this Major Change
- Make plans to hire a DPO: DPOs can assist in preparatory measures such as conducting tests for your incident response plans. You should have procedures in place that allow your to report on a data breach within 72 hours. If not, you may require risk-minimization training.
- Amend company’s existing data protection plans: You need to ensure that your company’s standard practices align with guidelines established by GDPR. Don’t forget to ensure that your mobile devices are compliant as well.
- GDPR compliance documentation: You are required to maintain clear, timestamped, and thorough user records, including demonstrations of consent.
- Ensure that major third-party partners are complying with GDPR regulations: Those who continue sharing non-compliant data pose long-term liabilities.
- Use the correct opt-in language: GDPR consent standards comprise easy withdrawal, naming all parties in need of user content, unchecked opt-in boxes, terms & conditions separate from consent form, and unambiguous language.
- Secure user data: All data transfers should be facilitated in a private and secure manner.
- Conduct a risk assessment: Start taking inventory of your third-party lead generators, landing pages, and websites. Make sure that you review your customer touch points as well.