If your business isn't located within the EU the company could being processing the personal information of EU citizens. This includes data processors as well as controllers for private information like billing addresses or shipping addresses, passwords for online banking, etc.
The consumer must receive clear facts about the processing of their personal data. Refusal rights are also available to them at any point.
What is GDPR?
In early 2018, you've probably received communications regarding privacy issues from your bank, email account and social media app. This is because the GDPR laws of the European Union came into force on April 1, 2018. The privacy law constitutes a data protection law that is enforceable. It creates a single guideline and provides authority for the protection of citizens in the entire EU as well as the EEA free-trade zone.
The GDPR provides a list of the objects that deal with, manage and secure information: data controllers data processors and data subjects. Data controllers are the ones who choose how and why personal data is handled, as well as what happens to it. They include owners of businesses as well as employees. Third parties are those who carry out tasks for data controllers. It could be cloud storage companies like Tresorit or mail service providers like Proton Mail.
The data subjects are those whom data is processed. They are the ones who have to read a document and affirm through explicit actions that they have consented to the processing, collection and storage of their PII information. You must signify your consent explicit, because it's unacceptable for consent to be implied by silence or inaction. The GDPR is a requirement that all individuals explicitly opt-in to data collection, which means pre-checked boxes as well as endless pages of legalese don't be considered to be freely provided an informed, explicit consent.
The law gives individuals the right to ask for a copy of the PII from any organization that holds it. The law also requires businesses provide the data in an easy-to-use format for others. This is a major shift for many businesses, but it's an essential step to the GDPR's compliance.
A further aspect of the GDPR is data portability, which means that information can be transferred from a business in one place without having to be re-entered. The ability to transfer data does not only benefit the consumer, but will also improve the overall security of the company's information.
In order to remain compliant organizations will have to keep up-to-date with their technology platforms as well as data structures. Each department needs to work together to decide which and what details of the enterprise are kept. Then, they will have to organize this data to ensure that every aspect of data about a person is handled correctly.
What will the GDPR's effect be on my company?
The GDPR will have a broad affect on businesses. The GDPR has been in force as of May 25, 2018 and will bring many changes to the way that companies handle personal information. This legislation affects all aspects of the business, from IT and marketing. The new standards also offer consumers a higher level of protection from advanced cyberattacks, such as ransomware.
Despite the fact that GDPR has been in effect since the beginning of January however, many businesses are finding it difficult to adhere to its requirements. Research shows that only 29 percent of companies have been fully compliant to GDPR. This is quite a lot and there is no wonder that the small business owners find it difficult getting their GDPR in order.
The GDPR demands that all enterprises obtain the express consent of individuals prior to processing their personal data. It is not possible to add someone on your list of customers without having explicitly opt-in. Also, you must clearly describe why you are requesting data collection and what the data will be applied to. Also, you must be able to show the individual's consent and also prove they are conscious of their legal rights.
Furthermore, the GDPR mandates that businesses only collect relevant data to be processed. So, you aren't able to make use of CCTV to watch your workplace as well as Google Analytics to track who visits your site if they aren't a customer or a potential client. The GDPR further states that personal data is to be dealt with in a safe manner.
This has meant that GDPR is forcing all businesses to review how they handle their data and privacy policy. E-commerce was the most affected, as it had to create new processes and protocols for gathering and processing data about its customers. It has been at times an issue, since certain businesses had to eliminate certain features of their sites and platforms for compliance with the GDPR.
What should I do to make myself more prepared for GDPR?
The GDPR comes into force on 25 May 2018. The GDPR requires businesses to modify their existing system for protecting data to be in compliance. Businesses who fail to comply with the requirements in this law could face fines of up to 20 millions dollars or 4 percent of their worldwide revenue (whichever is more).
Start by performing a comprehensive investigation of the personal information within your organization. List all personal data that is stored, collected and process. Analyze how your data relates to the objectives stipulated by the GDPR. You can then create an action plan that identifies areas where you need to make changes. Prioritize these tasks based on the potential risk they present and provide estimates of funds, timelines, and time for each.
In the next step, you should review any third party services or companies that your business uses. Be sure that they're GDPR-compliant, and you have a contract in gdpr gap analysis place with them that covers any data transfers to the EU. It is also recommended to conduct a risk analysis of all processes and practices that deal with children's information due to the increased GDPR standards for verification of age, consent, and processing.
Verify that the consents you have to make use of personal information are explicit, detailed, and easily changeable. Review your processes to handle requests from individuals who wish to exercise these new rights. This includes: the right of information, the access right, the right to rectify; limitation right, and finally the removal rights.
The last thing to do is be sure your organization is well-equipped to manage privacy breaches. Develop an internal response committee and a plan of action for informing the affected people. Think about naming an Information Security Officer in the event that it is necessary. In addition, make sure your organization's privacy policies remain current and easily accessible for all employees.
What should I do to prevent GDPR impacting my business?
The GDPR's impact on your company is dependent on the way you go about controlling personal information. Personal data is defined by law as information that can identify individuals. Contact information, names such as financial details, medical records, as well as IP addresses comprise all of it. If you have this type of data, then you need to comply with the GDPR's stipulations and risk penalties such as fines or sanctions.
Your business can be protected against the impact of GDPR by setting up steps to assure the compliance. First, conduct a data review to find out what information about your personal can be found and how the information is being used. After you have done so you'll be able to create an update plan to your privacy guidelines. It could be as simple as requiring two-step opt-ins for newsletter subscriptions, ensuring that you've got a legal basis to collect personal data and ensuring that your suppliers and subcontractors are GDPR compliant also.
Another way to avoid the GDPR's impact on your business is to make sure that you have a process in place to detect and deal with data security breaches. The regulator must be informed about a breach of data after 72 hours. Thus, you'll need a process to detect and prevent leaks. It could include forming teams that will be able to look over any new or existing data to ensure it meets the requirements of GDPR, including consent forms on your site that clearly explain the manner in which your business uses personal information as well as implementing a system to accept withdrawal of consent from customers who are currently using your services and reviewing and updating any agreements with third party vendors to make sure that they are in compliance with the GDPR.
It is important to remember that GDPR impacts all businesses, and does not limit them to the EU. Companies that process data of EU citizens, or even those who are in the European Economic Area are required to adhere to GDPR's requirements.
The GDPR states that consent is an important factor for both consumers and businesses. Companies are not permitted to conceal all terms in long contracts that consumers don't know about. The GDPR will also boost the trust of your users in your business. This also encourages your company to streamline its data platforms It can also be advantageous for departments such as marketing and sales who will be able to better target their audience.