#Are You Willing to Risk $23 Million Fines? Learn How to Comply with GDPR Privacy Regulation in Just 6 Steps!
In May 2018, the General Data Protection Regulation (GDPR) came into effect, affecting businesses across the globe. GDPR is a set of regulations that govern data protection and privacy with the aim to protect the personal data of individuals. The GDPR regulates how businesses process and protect the data of EU citizens. Any organization that handles the data of EU citizens, whether the organization is located within the EU or outside of it, is subject to the GDPR regulation. One of the most significant things about GDPR is the tough penalties it imposes for non-compliance - fines up to 4% of the organization’s annual revenue, or €23 Million, whichever is greater. Therefore, it is crucial for businesses to comply with GDPR regulations to avoid these hefty fines.
###Understanding GDPR Regulation
Complying with GDPR Regulation requires a thorough understanding of its basic principles. GDPR regulation is built around six high-level principles: Purpose limitation, Data Minimization, Data Accuracy, Storage Limitation, Integrity, and Confidentiality, and Accountability. The principles emphasize the importance of gaining explicit consent to process data, providing clear information to data subjects, securing the data adequately, and appointing a Data Protection Officer (DPO) within organizations.
###Basic Steps for GDPR Compliance
Here are six basic steps organizations should follow to comply with GDPR regulation:
1. Know your Data Before you start thinking about compliance, you need to understand what data you have, where it is stored, who is responsible for it, and how long you need to retain it. Assessing these elements will provide insights into what the organization is required to do to be GDPR compliant.
2. Implement adequate security measures The GDPR regulation requires you to secure the data you process or retain adequately. Implementing adequate security measures (procedural or technical) to protect the data is crucial to ensuring compliance.
3. Appoint a Data Protection Officer The GDPR regulation requires organizations to appoint a Data Protection Officer (DPO) responsible for monitoring the company’s data protection strategy regularly.
4. Obtain Explicit Consent Organizations must obtain explicit consent from every data subject they collect and process personal data for, emphasizing that the data will only be processed for specific purposes.
5. Be Transparent The GDPR regulation requires businesses to provide clear, transparent information to data subjects about how their data is collected, processed, and shared.
6. Be Ready to Respond The GDPR regulation empowers the data subjects to request their data, rectify their data, and even request that their data be deleted. Organizations must be equipped to fulfill these requests within a reasonable timeframe.
###Final thoughts
Although it can be daunting, complying with GDPR regulation is not rocket science. GDPR compliance primarily involves an organization understanding what data they have, who is responsible for it, which rights the data subjects have, and what measures must be taken to ensure the GDPR regulations are met. Undertaking these six steps serves as a solid foundation for ensuring GDPR compliance, enabling your organization to keep a squeaky clean GDPR record and avoid the hefty fines that come with non-compliance. Adopt GDPR compliance today, and protect your organization from the risks of non-compliance.
While cybercriminals never stop trying to find a new vulnerability to exploit, they can’t take the blame alone, as the same companies trusted with valuable PII often make a hacker’s job much easier. Companies assume a lax cybersecurity posture, fail to implement basic security controls such as patch management, and drop the ball on employee awareness. Unfortunately, cybercriminals and breaches are not the only threats to private information, as proven by the way Facebook misused customers’ data in the Cambridge Analytica case. This culminated in greater pressure for updated laws that made sure people’s personal information was adequately handled and protected. While many countries are still in the process of updating and approving new privacy rules, the European Union (EU) is ahead of the curve with their General Data Protection Regulation (GDPR).
What is the GDPR and How Am I Affected by It?
The GDPR is EU’s most important change in data privacy regulation in 20 years, but its impact is not limited to the Old World. In fact, its application is not limited to organizations located within the EU at all; indeed, it’s mandatory for any organization (including the ones located outside of the EU) that offers goods or services to, or monitors the behavior of, EU data subjects. To summarize: after the two-year transition period that ended in May 2018, the GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. So what happens if a company fails to comply with the GDPR? Well, aside from a great deal of bad press, it can result in a hefty fine of 20 million euros or 4% of the company’s global revenue — whichever is larger.
GDPR Compliance in 6 Steps
Achieving GDPR compliance can seem daunting at first and, yes, while most concepts were also a part of the Data Protection Act (DPA) of 1998, there are several new aspects and more rigorous standards that every company that falls within the GRPR’s reach must now follow. The good news is that this new regulation is pretty straightforward, mostly based on two key principles:
As a company, you should only collect personal data with clearly-defined purpose and never use the information for something else Never collect more data than you need
Here are a few simple steps that should help your GDPR compliance efforts:
Step 1 – Hire a Data Protection Officer (DPO)
The DPO is the person responsible for making sure your company is GDPR-compliant, so it makes perfect sense this should be one of your first steps. Please keep in mind that not every company needs to appoint a DPO; it is only mandatory for public authorities and/or companies larger than 10 to 15 employees which process personal data. However, even if your company is not required to have a formally-appointed Data Protection Officer, it’s still a good idea to have someone defined as responsible for the protection of personal data. GDPR Article 39 is quite clear on DPO tasks: he or she works as an adviser on all matters related to data protection but is also responsible for monitoring compliance and functions as a central contact point with the supervisory authority. It is important to know that the data protection officer may fulfil other tasks and duties in the company, as long as it does not result in a conflict of interests.
Step 2 – Check for Processed/Stored Personal Data
According to the GDPR, companies should only collect personal data with clearly-defined purpose, and never use it for anything else. Based on this premise, a top priority for your newly-appointed DPO is confirming every case where your company collects, stores or processes personal data, checking to see if there is a legal basis for the purpose for which it is done. For example, if your company’s core business is simply transporting/delivering goods to customers, the most basic personal information you need to complete the job is the customer’s full name, a complete address for delivery, and a contact number or email for notifications and emergencies. In this case, there is no legal ground for requesting personal information such as a customer’s birthdate, gender or marital status — unless, for example, you are doing so in order to send them notice about special offers or advertisements, in which case you should first request their consent (more on that later!). To put it simply, if you are collecting, processing or storing more personal information than you really need, the best solution in this case is stop doing so. An intelligent approach for full transparency and compliance is preparing a document explaining what personal data your company holds and for what reasons. This should include:
The purpose of the data collecting, storing or processing The types of personal data collected, stored or processed The storage periods Technical and organizational security controls employed to protect personal data Whether personal data is transferred to recipients outside of the EU
Step 3 – Get Customer Consent
Consent is one of the legal grounds for processing personal data, and according to the GDPR, it is absolutely necessary to receive it before processing or storing customer data. A key point for compliance is understanding that getting consent should be done using clear and plain language. Customers need to know who your company is, when their data is requested/collected, why it is being processed, how long it will be stored and who receives it. While in the past silence from the customer side was sufficient for consent, the GDPR requires proof that a company received positive confirmation from a customer before using their information. Also, if there are any changes (e.g. using personal information for a reason that was not explained before) a new request for consent is necessary. A great approach for full transparency is creating and publishing a privacy policy that explains how personal information is collected and used by your company, but please keep in mind that this does not count as positive confirmation. There should still be some way for proving that customers have accepted this policy and given their consent.
Step 4 – Keep Data Only for as Long as Necessary
This step is quite simple: your company should not store or process personal information indefinitely. If the original purpose for collecting, storing or processing personal information has been fulfilled, this data should be securely disposed of. For example, in the case of employees, personal data should be kept just as long as the employment relationship and related legal obligations last, and the same goes for customers; keep their data just as long as the customer relationship and any related legal obligations last. For some businesses, the value of personal data can be quite high, making it one of the company’s top strategic assets. So the fact that many companies are not willing to easily part with it is perfectly understandable. For this reason, if your company desires to keep valuable data which could otherwise be deleted, make sure there is consent. Explain to your customers/employees the reasons why you wish to retain their data, and make sure there is positive confirmation from their side.
Step 5 – Secure All Personal Data
Per the GDPR, personal data should only be processed in a manner that ensures an appropriate level of security and confidentiality, including controls for preventing unauthorized access to or use of personal data and the equipment used for its processing. It is important to remember that it does not matter if personal data is stored electronically, as part of an application or in physical/hard copy. Your company is still fully responsible for its security. Extra attention should be given to sensitive information, including health, race, sexual orientation, religion and political beliefs. It’s quite clear that your DPO should have a close relationship with your security team. Another good approach for compliance is following an established security standard, such as ISO 27001. In cases where you need to be more thorough, regular perform vulnerability assessments, or even a complete penetration test.
Step 6 – Respect Customer Rights
It should be quite obvious that GDPR’s main focus is making sure companies respect their customer’s rights with regards to the processing and movement of personal data. These rights include:
The aforementioned mandatory consent before collecting, storing and processing personal information Access and portability of personal data (i.e. allowing customers to access their data and give it to another company) Sending formal notifications within 72 hours of discovery in the event of a data breach Allowing customers the right to be forgotten (i.e. erasing personal data when requested as long as it does not compromise freedom of expression or the ability to research) Informing customers if their personal data is being used for profiling Giving customers a chance to opt out of direct marketing that uses their data Getting parental consent before collecting data from their children Making sure the necessary arrangements have been made before transferring personal data to countries outside the EU
This list may sound endless, but keep in mind that denying any of these rights will result in a direct GDPR compliance violation and, as mentioned before, fines up to 20 million Euros or 4% of the company’s global revenue.
Conclusion
Complying with the GDPR should not be a project purely focused on avoiding bad press or the financial impact of a major fine. This new regulation is all about respecting individual rights regarding personal information, something every company should do — especially when personal data is used on a daily basis as a central pillar of their business. In most cases, the road to compliance will result in a significant corporate culture change, affecting business of any size or geographic location which handles personal information and wishes to continue doing business with the EU. In the end, this should not feel like a struggle; instead, it should be thought of as a necessary journey to a safer world in the information age.
Sources
Equifax Underestimated by 2.5 Million the Number of Potential Breach Victims, Fortune The Justice Department and FBI are reportedly investigating Cambridge Analytica over Facebook scandal, The Verge Yes! A Brazilian privacy law! But not quite yet …, IAPP EU GDPR Information Portal, EUGDPR
