Is your business Ready for General Data Protection Regulation (GDPR)?
Privacy is a major concern for businesses today with technology further becoming an integral part of their daily activity. 2017 was a terrible year for businesses in terms of data privacy and security. The global WannaCry ransomware attack, hacking and leaking of data from organizations ranging from Honda to the U.S. Air Force, and even educational universities have managed to put data privacy in the spotlight for the coming year.
GDPR or the General Data Protection Regulations is a game-changing European legislation set to come into effect from May 25, 2018. It is set to replace the 1998 Data Protection Act, seen by many legislators as not being stringent and secure enough for businesses in today's global economy. While European in origin, GDPR stands to affect businesses both European and foreign in nature.
What is GDPR and Why Should You Be Concerned?
The European general data protection regulation is wide-reaching and significant in scope and will help usher in a modern-day approach towards data privacy and protection. Not only does it make rules more stringent for businesses, but also empowers individuals to control how much of their personal information is collected by the businesses. Some of the salient features of GDPR include -
- If your business activity involves systemic monitoring of user data on a large scale, or if you process "special category data" in large volumes, then you must employ a Data Protection Officer (DPO) within your premises. This officer will oversee ensuring all your data collection and processing is done according to the rulebook, and will also serve as the sole point of contact for all queries regarding data privacy and protection
- GDPR will apply to all businesses (even those with lesser than 250 employees) who have access to the personal data of their customers. Serious breaches or hacks must be immediately reported to the GDPR Regulator within a maximum of 72 hours
- Individuals and customers will now get to choose how businesses use their data. In certain cases, they can even ask for the deletion of their personal data if they are no longer a customer or have voided contracts with the business
- Failure to comply with the GDPR regulations can result in harsh penalties (up to €20 million or four per cent of a businesses' annual turnover) thereby leading to strict enforcement
If you are already compliant with most of the norms, you will have head start in ensuring you can get your other important regulations sorted out. But this is simply not the case with most businesses, especially small businesses. In a recent study conducted by Dell in conjunction with Dimension Research, it was found that more than 80% of the IT professionals responsible for data privacy hardly know anything about GDPR. Worse still, 97% of the companies do not even have a plan in place when GDPR kicks in within a few months' time!
Key Elements of the EU General Data Protection Regulation
GDPR applies to all forms of personal data, either directly or indirectly related to a person, and which is stored in a variety of different formats (online servers, offline sheets, etc.) It takes a wide view of what can be constituted as personal identification information in the modern world, thereby necessitating that companies treat, for example, a user's IP address as importantly as they treat his social security number. Data which comes under GDPR include -
Which Companies Will Get Affected by GDPR?
Each and every company which stores and processes the personal information of citizens in EU must comply with GDPR, even if they are not based out of the EU. Specific criteria for companies which need to follow GDPR regulations include -
- All companies which have presence in an EU country
- Companies without presence in the EU, but which processes a significant amount of personal data of European residents
- Companies which have more than 250 employees
- Companies which have lesser than 250 employees but have substantial data processing of personal information which impact the freedom of EU residents
According to a recent PwC survey, almost 68% of the companies based within USA will be directly affected by GDPR, and expect to spend between $1 million to $10 million so as to meet GDPR requirements. The European general data protection regulation will force many US-based companies to change the way they process personal customer data, and should have measures in place such that all personal data is erased upon customer request.
Why Is the General Data Protection Regulation Good For Your Business?
With the arrival of GDPR, organizations will have to develop more sensitivity in the way they handle the personal information of their customers, and while it sounds like a task, it really is not. This is because in many ways, implementing GDPR makes perfect business sense. Some of the business benefits of GDPR include -
Enhanced Customer Trust - GDPR will by default encourage businesses to store personal and confidential data in a more secure manner. By maintaining a clear, transparent, and easily accessible channel wherein customers know exactly what data of theirs is in use will help you gain the trust of your customers. This increase in public confidence can further help your marketing and PR as well
Better Competitive Advantage - While an initial allocation of resources and funds will be extremely necessary in order to implement rules which follow GDPR regulations, in the long term they will be extremely beneficial as well. In the long term, you can expect better policy and legal compliance, allowing your business to gain a competitive edge over others. More customers will choose your business owing to the transparent nature of your business
Improved Data Governance - By reviewing your information holdings periodically and storing and indexing your customer's personal data on a regular basis you will be able to facilitate easy access to information. You will also be able to amend data discrepancies as and when they occur more easily, while also being able to delete personal data if your customers require so
Reduced Digital Footprint - With better data retention policies, your organization can decrease your overall storage overheads, while streamlining existing processes to ensure your digital footprint becomes considerably easier
Better Information Security - Many small businesses do not take information security as importantly as they should. GDPR therefore gives your organization a chance to implement new rules and processes to help govern personal data, which in turn will be extremely beneficial as your organization grows
The GDPR Guide: A Helpful Checklist of Things to Do Before May 2018
One of the simplest but most important components of the GDPR regulation is its emphasis on privacy by design. Our general data protection regulation guide will help you master the same by taking you through a step-by-step process to get you started.
Map All Existing Data
Start by documenting where all the personal data that you have comes from, and also document what happens to the data exactly. Identify where it is stored, who all have access to it, and find out existing risks.
Thereafter, find out if you require customer consent in order to store this data. If you are, then make sure the consent form that the user fills up is specific and exact. If you don't have one, get started right now! In cases where customer consent is not required, you do not need to go ahead and create a consent form.
Determine which Data Is Important and which is not
It's always a good rule not to keep more information than required, and remove any excess information, if it has been collected. If you are collecting a lot of raw data without doing too much with it, let it go! Ask yourself the following questions -
- Can I erase this data instead of just archiving it?
- Why do I need to save this data?
- What am I achieving by collecting all this personal information?
- Is the financial gain of encrypting this data greater than just deleting it?
Establish Security Protocols
Start developing security safeguards throughout your existing infrastructure to contain data breaches. Employ an IT team if you don't have one already who can help secure your information. Figure out where you are storing your data, and if there are multiple levels of redundancies in other to ensure data theft can be marginalized.
Conduct Due Diligence with Your Suppliers
Just because you outsource a lot of work does not mean you are liable from being exempt under the GDPR legislation. So check with your suppliers to ensure they have the correct security in place. Ensure all your suppliers and contractors are GDPR-compliant, and can notify you fast enough in case of a breach.
Review Your Documentation Thoroughly
Start by reviewing all your privacy statements and disclosures and update them to become GDPR-ready wherever required. Since individuals have to give their explicit consent before you take their data, ensure you do away with pre-checked boxes wherever present.
Prepare for Access to Information Requests
Under GDPR, customers can request their personal details to be deleted or as to see them to make an informed decision. They can also choose to rectify their data whenever they want to, and even object to the processing of certain data points. Each of these requests carry a timeframe under GDPR (one month), so ensure that you have processes already setup to honor these requests timely.
Ensure Personal Data is Handled Correctly by Setting Up Procedures
Before GDPR comes into effect, you should establish correct procedures in order to ensure that you already meet all the norms as required by the legislation. Start by asking the right questions, such as -
- How do I gather consent from individuals legally?
- What is the process to delete customer data on request, and how soon can I do it?
- How will I ensure that the data is uniformly deleted from all my systems?
- When faced with a data transfer request, what process would work best?
- How will you verify user identity before giving them access to the personal data
- How will the communication plan look like in case of a data breach?
Flatworld's Commitment - Your GDPR-compliant Partner across All Verticals
GDPR is a monumental step taken by the European Union in order to protect the fundamental right to privacy of its citizens. As a business, not only is it important to be GDPR-ready, but also partner with service providers who already have managed to conform to the GDPR legislation.
Contact us right now! Get GDPR-ready!
Would you be interested in reading more?
Here are some compelling reasons why you should outsource work.
How businesses can leverage the forces of globalization for greater benefit, and how Flatworld Solutions can help.
Find out why outsourcing is here to stay, and how your company can benefit.