Do you own a company? If you do, how many of your customers are from countries under the EU?
Now probably the time has come to think about a few more things seriously. Otherwise, it may cost you so much high in the long run. Even your whole business may perish if steps aren’t taken beforehand.
Do you know about the GDPR? What is it?
To get the answers to those questions mentioned above, read the whole article carefully.
First of all, I am not a lawyer or legislation expert. This article is based on my ongoing study and research on GDPR. I want to share my views and opinions in this regard so that it might help to understand someone about GDPR which stands for General Data Protection Regulation.
Behind the Scenes
It’s crucial to learn the spirit of GDPR. The legislation came into existence because of the way personal data has been handled in the past. Many companies employed personal data as an asset that they could utilize without regard to the rights of individuals.
The internet has drastically changed the way of communication and the handling of everyday tasks. Every day we are using the internet for different purposes. We send emails, we transfer our documents, we use the internet in paying, we use e-commerce in purchasing goods, all these activities we have to do by giving our personal data online without thinking a second thought.
Have you ever thought of discovering how much data have you shared online? and what would be happened after giving the information?
It could be bank-related information, contacts, address, social media posts, IP address, registration in different sites and even the sites you have visited all are stored digitally.
Companies are collecting these types of information by saying that they will provide better services and altogether for giving a better user experience. But is that ok that what they are talking about?
These are some common questions have been asked and answered by the EU in different cases. This is why GDPR comes into existence in general. Now the question is what is GDPR?
What is This
GDPR stands for General Data Protection Regulation which is a new legislation policy introduced by the European Union. This aimed at giving European citizens more control over how companies use their data including sensitive data and private data.
It is an EU law that goes into effect on May 25, 2018, and it is essentially putting really strict requirements if you are collecting data from the citizens who are in the EU. So for those who are located there even if they don’t have residency. It also can be applicable to the type of business you have depending on what you are collecting.
So far, countless individuals assume that it as a panic right now but when they will know what it is and how it impacts on your business, they can sort of step little back, take a deep breath. Because it is not as bad as some people may believe it.
Visit the official page of EU GDPR to know about the details regarding the law, Click Here.
How does it work
The way GDPR is broken down & you came to know about it, you are the company collecting either personal data or sensitive data. So if you the company collect data of EU people and posses it then you are potentially going to need a comply with GDPR. The way that you can look at it, are you offering services whether free or paid, it doesn’t have to be necessarily a paid transaction to those who are in the EU rather it is necessarily important if you are monitoring behavior from those who are in the EU, this is how it actually works.
So if you follow to those categories then you wanna make sure you are compliant and you need to be attaining instructor concern. So, what I recommend people startup doing an audit of what are you collecting. So first and foremost, what are they mean by personal data, I think there is an obvious thing like my name, my email address, and of course if you have fresher recognition, your physical appearance, cause that’s always freaky, when you tags and things don’t know about but it can be something as simple as information that if it is connected with something else can identify you.
The IP address does count as personal data. So that personal data is something that I think most website at their core likely or accessing and it can be as simple as google analytics. So if you are collecting IP address for something, you are definitely want to disclose something using cookies to track behavior. You need to disclose and get consent. Even if your business is not in EU, you will still have to comply with the regulation and get a consent for you to use personal data, collect and share data of Eu citizens.
Now I am giving two ways explanation of GDPR, one is from the business owner perspective and another is from the general individual. At first, I would like to discuss the business owner’s perspective who are collecting data from the users and second is from the user perspective who actually are giving data.
Business Owner Perspective
Let’s have a look at the business owner perspective first. For a business owner, some important aspects need to maintain in 2018 which are given below.
1. Make an Informative Audit
An informative audit can make you understand the criterion for this you can identify the areas that could cause compliance problems imposed by the GDPR. It is important to look at the information that you are receiving from and you have to determine:
- Why do you process this kind of information?
- How did you get the information?
- What is the purpose of this possession?
- How long do you want to keep that information?
- How much secure is this?
- Who you share it and how?
Every business owner should concern about these matters structurally in this regard.
2. Make sure that personal data is documented properly
You should document personal and sensitive data you hold. Moreover, you have to be careful of the data source as of where it comes from and who the person you share with.
The GDPR makes you able to maintain records of your processing data of activities. This is very important because if you collect misinformation and pass it to others then you can find it in an easy way to reform it. Moreover, you are maintaining the GDPR’s accountability principle.
3. Processing Data in a Legal Way
You the business owner can process personal data but it must be on a legal basis. After processing the data you need to document those data accordingly. This will be maintained strictly in the near future. This process actually ensures the authenticity of data and make sure the individual right in a greater sense. In this case, the thing will happen as if you want to process data of an individual, you have to rely on his or her consent to process the data. There are several legal bases for processing individual data under the GDPR. Some are given below for better understanding.
- Consent of individual
- Contractual need
- Compliance with legal obligations
- Vital interests of the data subjects
- Public interest
- Legitimate interests
These are some of the issues by which data processing is controlled.
4. Review your consent
Review all the consent properly before processing any data as GDPR sets a high standard for consent. In this case, consent also requires some form of clear affirmation. It means you can’t assume any kind of consent silently.
You have to keep some sort of record or documentation that proves your consent is clear & authentic. The document shows itself that how and when you have received consent. If you count on someone’s consent to processing their data, take necessary steps to ensure that your all procedures meet all kind of criterion GDPR.
5. Review & Update Your Privacy Information
You should synchronize your current privacy information with the GDPR requirement, then you have to review and update this. For GDPR compliance you have to do some additional information as well.
Suppose, if you want to collect personal data, currently, you are giving certain information about you and your company that could help them to find your identity in general. But now, under GDPR, you have to do something more like you might have to explain concisely your lawful basis. You have to include data retention periods in your privacy notices.
6. Data Breaches
You have to confirm that you have an appropriate process in place to detect, report and investigate a personal data breach. Data can’t access without any authorization of the respective data owner.
Be aware of the personal data of your users and unawareness of that can easily get into the whole data to wrong hands. It could publicly available through by happening a mistake. If this happens in any way, make sure that you have responded correctly to the GDPR authority.
7. Ensure Individuals’ Right
You should check your whole procedure to ensure that your company possesses the right tools that ensure an individual’s rights. Anyone can have the right to be informed if they want to. You have to give them the necessary accessibility if they want.
You have to give them the right to rectify the necessary information. They can have the right to erase specific data as they want. If any citizen of the EU wants to restrict the information, they can have such an opportunity. They also can have the right to data portability. The citizens have the right to make an objection to a specific issue.
8. Categorize Worthy Data
After analyzing all the data stored in your company over the years, you should transfer all the worthy data in a separate place in order to minimization as GDPR encourages companies to adopt data minimization. It promotes the companies to let go of data that is not vital to the business.
9. Incorporate New Data
It is obvious that the business needs to seek explicit consent from the individual in order to use and store their data. You should think about how you can take another consent from the customers and you have to have a process which allows the customer’s data to be erased if they want. You have to have a look on to your documentation to make it DGPR compliant.
10. Give a priority to data security
‘Privacy by Design’ is one of the underlying principles of GDPR regarding the privacy issue. The topic indicates that business should treat user’s data security as the first priority and business should be designed in such a way that it gets maximum priority in the security issue. In this respect, the IT department needs to implement safeguard user data.
11. Recruit a Data Protection Officer
At last, look for an expert who can assist in preparing all the post GDPR maintenance going to be happening. Officer will also responsible for installing data regarding safeguards issues into your system. To guarantee the secure handling of data you should recruit or hire an officer.
These are some keynotes for the business owner what should they maintain while processing data in general.
Now, I want to discuss the individual’s perspective regarding GDPR and I will show a total picture of what they should do while submitting any kind of personal data to any organization. GDPR will bring eight key rights for every individual. Your procedures should be updated to ensure that you can follow through on them. The eight rights that are to be followed by every individual are given below:
1. The Right to access
It means that every individual has the right to access their personal data at any time if they want. They also can ask how their data is being used by the company after gathering. The company must also provide a copy of the data which is totally free of cost and it could be in a printed by electronic formate if requested.
2. The Right to be Forgotten
Consumers have the right to withdraw their data whenever they want. Suppose, if any consumer is no longer customer of the company and they want to withdraw their personal data, they have that kind of right to withdraw that information.
3. The right to data portability
Any individual can transfer his or her data from one service to another service. It must happen in a commonly used machine-readable format.
4. The right to be informed
This is the most important part of an individual’s part which ensures that any data has gathered must be informed to its owner. In fact, before collecting data from the company, the individual must be informed. Consent must be explicit rather than implicit one.
5. The Right of Rectification
This part ensures that the individual has their data updated if it is out of updated or need to have an amendment. If you disclose any data to third-party, you need to inform them of rectification and you have to inform your customer that they are aware of the third-party you shared with.
6. The Right to Restrict Processing
In this case, individuals can stop processing their respective data but their record can remain in the same place. They just stop using their data to put forward. Make
7. The Right to Object
Individuals have the right to object to any specific reason for any specific data. There are no exemptions to this rule in the case of maintaining. If any objection came during the processing period then processing must be stopped as soon as the request is received.
8. The Right to be Notified
If any data breaching happens which compromises individuals right in any way, at that time individuals have a right to be informed within 72 hours of first having become aware of the breach.
These are the key rights of individuals which have entitled by the GDPR for sake of giving more power to individuals over their data and less power to the organizations who collect and use data for commercial aspect.
In fine, I would say, in today’s world data is an asset as it is like a valuable currency in the modern world. Hence, this data should provide, collect, store and transfer in a proper way. In order to maintain a proper order, in that case, GDPR has come into existence as it is the demand of time. Though it has created challenges in some cases for the business, it also creates opportunity. Invest your time to understand what you need to become compliant and I hope this content would help you in this regard. Make a proper prospect of action for your journey in the case of GDPR so that you might be in relax position when this regulation will enforce. I highly suggest you start your journey if you haven’t started yet.
Disclaimer: This entire content of this blog post is not to be considered as a piece of legal advice rather it should be considered and used for information only. The purpose is to share the information about the GDPR and its consequences among the gross population.
? Check out my another tutorial on creating a GDPR compliant website in details.