The Ultimate Guide to EU GDPR Compliance
Every day we share lots of personal details on different websites without thinking twice about why these companies need our personal information. What will they do with these details? Where will they store it? Is it safe to share personal details like address, phone number and more with these remote companies?
Frequent data breaches faced by biggies like Yahoo, LinkedIn, MySpace which results in leaking personal and financial details of users indicates that sharing data isn’t as safe as we perceive it. These breaches can result in compromising the personal and financial safety of individuals. This is quite intimidating and to help protect their citizens from any further damage, the European Union revised their existing privacy policies with the new ones.
What is GDPR?
General Data Protection Regulation (GDPR) is the legal framework that set provisions for personal data collection and processing across the European Union and has unified privacy laws within Europe.
GDPR sets guidelines for data management and gives rights back to the users. It is a critical legislation for almost all companies who have something to do with citizens’ data, like social media websites, banks, insurance companies, etc.
GDPR was passed by the European Parliament in April 2016 with the purpose to prepare Europe for the internet connected era. It is devised in a way to answer the lingering question about how and where personal data of the users is used and how it's handled.
GDPR will be applied to all 28 EU countries including the UK in May 2018. Its strict clauses will aid in regulating storage and processing of Personally Identifiable Information (PII) across Europe. This will be the biggest shakeup of the data privacy rules and will supersede the existing Data Protection Directive 1995.
Every organization in the world that deals with or are in control of personal data of EU residents have to comply with strict rules set by GDPR or otherwise they may be heavily penalized.
Why was GDPR created?
A question might arise why GDPR was created despite the presence of current data protection regulation (1995) operational across all EU states. Why did the authorities feel the need of devising GDPR in the first place?
The rationale behind creating GDPR is to harmonize data privacy laws across all EU states which will not only provide enhanced data protection to users but will give them exclusive rights to control their data usage.
In the past 20 years, this will be the greatest overhaul of the existing EU’s 1995 data protection directive with several new rules being included in it. All EU states abide by the current Data Protection Directive; likewise, they’ll have to follow GDPR.
Growing privacy concerns of the general public and their apprehensions regarding misuse of their personal data prove to be the key motive behind creating GDPR. The concerns are significant and are supported by high profile data breaches making headlines occasionally.
Statistics regarding people’s concerns are also alarming: 80% of people across Europe mention losing banking data as their top concern, whereas 76% people find losing personal and security information such as ID cards and passwords as their top concern.
Consumers are becoming more aware with time; they are conscious of their rights and thus want full transparency and security of the data they share with a company. 62% of consumers believe that a data breach is more of a lacking part of the company and they will blame the company instead of a hacker.
In the US 72% consumers aimed to boycott a company involved in a data breach. Security concerns and lack of trust have so much escalated that around 41% of surveyed people admitted to faking their data when signing up online in order to protect their details.
Existing data protection directive became operational in 1995; it was the time when the internet was in infancy and through the directive suited the security demands of that time, fails largely when it comes to providing protection to users in this booming world of internet.
The directive fell short in covering the modern day data collection, storage, and transfer mean. GDPR was created to fill these gaps in the laws. The aim of GDPR is to build the digital future of Europe on trust; it’s an evolution of the EU old data protection directive and is the step taken to abide by shifting global trends.
It will alter the conventional handling of consumers’ data by different organizations and businesses; it will make them more responsible towards consumers’ personal information and make them conscientiously protect users’ data from exploitation and misuse.
When will GDPR come into force?
General Data Protection Regulation will come into force on May 25, 2018. It will be applicable to all 28 EU states. GDPR was passed in April 2016 by European Parliament and officially became part of EU legislation. It has replaced the existing outdated data protection directive (1995).
To make Europe fit for the global age, European Commission set out a plan and proposed reforms in the existing data protection directive in 2012. Its aim was to provide EU citizens better protection and privacy across Europe.
The provisions were finalized after four years of debate and brainstorming and agreement was reached over what should be reformed and how.
The standard set by GDPR is demanding and businesses will require surplus investments and skilled administration to meet the high standards. Therefore all companies and businesses across EU were given a time of 2 – years to make necessary arrangements and changes in their companies’ laws for the adoption of GDPR.
Who does GDPR apply to?
GDPR applies to every individual, company or organization who either is controller or processor of personal data of EU residents. Its provisions will ensure protection and privacy of EU citizens’ personal data and regulate its storage and transfer.
Any business or company, regardless of its geographic location, that provides services to European consumers, stores or transmits their personal data (for example, Google, Facebook, Twitter, etc) or monitors the behavior of EU subjects, will have to comply with GDPR provisions to continue their business in Europe.
They will have to take necessary steps to secure their data and make sure they aren’t being stored elsewhere except analytics or they can land themselves in serious trouble.
Any small or medium-sized enterprise (SMEs) having less than 250 employees will be exempted from fulfilling the entire list of the GDPR clauses. A possible reason behind this relief is that smaller organizations pose much less data breach risk as compared to giants like Google, Facebook, etc.
What does GDPR mean for businesses?
GDPR will have a huge impact on the businesses located in Europe and even those located outside Europe if they deal with EU citizens. It will largely alter the ways they collect, use and store consumers’ data.
Geographic location doesn’t matter as long as the organization deals and processes personal data of EU residents. Sadly at this time, many organizations located outside EU aren’t aware of the fact that GDPR applies to them too. And just 38% of British organizations are aware of GDPR; this indicates a general lack of awareness regarding this law and its possible implications.
Business giants like Google, Facebook and others will be affected the most by this latest law as they use consumers’ personal data to track their interests and use it for their marketing campaigns. Banks, insurance companies and retailers will have to revamp their entire data storage process in order to avoid penalties under GDPR.
GDPR put users in the driver's seat and now companies have to be extra vigilant while dealing with their users’ data. All responsibility of protecting data lies on them and in case of negligence they can face very hefty penalties.
What does GDPR mean for consumers/users?
GDPR is entirely about consumers’ rights and their privacy and this will literally make consumers in charge of their personal details when it comes to data usage, storage, sharing, and transfer. Companies and data controllers now will have to put consumers’ rights above their own interests.
For users, GDPR will be favorable in several ways. Following are some of the privileges that GDPR provides to EU citizens:
- Explicit communication: Organizations now will have to explicitly communicate their consumers regarding usage of their personal data through either lengthy consent statements or extended privacy policies.
- Consent: The consent should be taken in clear and plain language through clear affirmative action and it should be unambiguous. Organizations cannot force consumers to give consent in order to proceed. Pre-ticked boxes or inactivity should not be counted as consent.
- Right of access: GDPR gives consumers the right to access to their personal data held by the organization. They can check how their data is being processed, who can see their details and for how long the company stored their personal data. They can demand a copy of their data which should be provided within 30 days and the organization should bear the cost of it, unlike current practice of charging users up to £10 for retrieving data.
- Right of portability: Users can demand data portability when switching suppliers or closing accounts.
- Right to be forgotten: This law gives users exclusive rights to demand that their stored data should be deleted from the company’s analytics. Users can insist on erasure if they find their data to be unlawfully processed, they withdrew the consent or if it’s no longer essential for the purpose it was initially collected for.
- Right to rectification: Users can demand their data to be rectified if they find it incorrect or incomplete.
- Right to object: GDPR gives users the right to object the profiling of their data and its usage for marketing.
- Notifying data breach: In case of a breach, the company has to notify the user within 72 hours, so that they can instantly take measures to secure their sensitive data like bank details, etc.
GDPR gives these exclusive rights to EU citizens and companies should keep them in mind when processing data and devising policies to avoid landing in legal trouble in case of non-compliance.
What counts as personal data under the GDPR?
Data has become a fundamental part of our lives. whether it's banking, making a purchase, using social media or dealing with the government services, all of it involves our personal data being collected, stored, analyzed and even transferred as per their requirement.
GDPR is specially designed to protect personal data of users from misuse and covers both personal data and sensitive personal data. Though it’s quite complex to categorize both and evaluate which information falls under which categories, broadly they can be categorized in this manner:
Personal data refers to any piece of information which can be used to identify a person. Following will be counted as personal data under GDPR:
- Email Address
- Phone Number
- ID card number
- Social security number
- Web data which includes
- IP address
- location information
- RFID tags
- Cookie data and browsing habits based on those cookies
Sensitive Personal Data:
Sensitive personal data incorporates all such information about an individual which is sensitive in nature and sharing or transferring it without individual’s consent can raise security issues and pose harm to that person. The following information will be categorized as sensitive personal data:
- Health and genetic data of the person
- Biometric information
- Information regarding sexual orientation
- Racial and ethnic data
- Political opinions
- Religious views
- Banking and financial details
Although GDPR covers almost all of the personal data categories which are already being protected under existing data protection directive, the difference is GDPR makes sure to protect pseudonymized personal data too along with general data.
When it comes to the application of GDPR on all operating companies and businesses, there are some exceptions too. Anti-doping agencies, journalists, historical and scientific researchers have been exempted under the GDPR and they can handle users’ data according to their work requirement.
How do I get consent from my users under GDPR?
One major clause of GDPR is the need of taking an explicit consent from the users and the companies have to demonstrate unambiguous consent taken from its users in order to process their data.
Consent should be taken through affirmative action and any passive or implied consent won’t be acceptable under GDPR. Following are the ways through which companies can take consent from its users to comply with GDPR:
- The consent should be free and should not be linked to negative consequences in case of denial.
- The consent should specifically mention the period and purposes for which the data will be used; these should be in bullets with users having a choice to give consent to whichever purpose they want.
- Purpose of the consent once taken can’t be extended further.
- Companies should provide a detailed account of the usage of data and if they fail to provide the necessary information to the user, the consent will automatically be nullified.
- Pre-ticked boxes can’t be used for consent; they should include affirmative action, like ticking a box, to be considered as consent.
- Consent request shouldn’t be placed among terms and conditions box and should be separately sent to the user.
- Inform people clearly how they can withdraw their consent.
- Always keep a record of the consent and maintain an evidence of Who, When and How consented to your request. It’s essential to keep a record to avoid the penalty if the company has to prove the consent in the future.
- In case you are already taking consents but not sure whether they are according to GDPR standard to not, it’s better to run a re-permission program, refresh the consent form, update the subscribers' list and remove those who didn’t give consent.
Devising a foolproof consent request which won’t be categorized as GDPR non-compliance is a real challenge. Companies should keenly consider the above-mentioned tips and take help of experts when planning a consent request.
What is a GDPR breach notification?
After GDPR comes into effect on May 25th, organizations should be extra vigilant regarding data breaches and notifications. Under the new law, any unauthorized access to the personal data of the users or loss of personal data should be reported to supervisory authority without any delay.
Organizations, as soon as they become aware of a data breach, should notify concerned authorities within 72 hours, and if they’re unable to, they should give solid reasons for the delay.
The data breach can result in compromising security and freedom of individuals, therefore the breach notification should clearly state
- the nature of the data breach
- approximate number of data records that were breached
- mention the contact information of the data protection officer of their organization
- mention the possible consequences of the data breach
- propose the measures which should be taken to mitigate possible adverse effects of the data breach
If there is a high personal or security risk of users due to the breach, then the company should also notify the victims that their data has been compromised. This should be done via direct communication and shouldn’t be conveyed with just a press release or a notification on their website and social media accounts.
When does an organization need to make a notification about a breach?
GDPR provides protection to the personal data of users, so whenever a company witnessed a personal data breach of EU citizens, they’ll have to issue a notification to the competent supervisory authority within 72 hours.
The company has to notify authorities about data breach if it leads to alteration, unauthorized usage/transfer, unlawful destruction, illegal access or unlawful processing of to personal data of users.
Moreover, if the data breach results in high-security risks of the users, then they should also be individually informed regarding this and remedial measures to mitigate the adverse effects of the breach must be conveyed to them.
What are the GDPR penalties and fines for non-compliance?
Non-compliance to GDPR provisions can result in hefty penalties and fines for the businesses. The fines can be as high as €20 million or 4% of the global revenue of the organization (whichever is higher) and this can be in billions.
This is the maximum amount of fine which can be imposed following serious GDPR violations which incorporates personal data breach, not taking consent for personal data processing, unauthorized transfer of data, not complying with users’ requests to get hold of their data or violating the privacy of consumers.
There is also a minimum fine of 2% of the company’s global turnover or €10 million (whichever is higher) which can be imposed as result of smaller offenses like not appointing a data protection officer in the company, not processing people’s data in the correct way, not notifying the supervising authority and victims about a data breach and not evaluating the impact of data breach.
The diversity of offenses resulting in penalties has made several organizations vulnerable towards fines. According to research, 53% of companies believe that they might be fined for non-compliance once GDPR is enforced.
Further stats predict that EU can collect as much as 6$ billion in the first year enforcement of GDPR.
GDPR implementation checklist for Small Business Enterprises (SMEs):
Smaller companies will be affected most by the GDPR because they may not have enough resources to meet the conditions and make necessary arrangements for data protection as per GDPR.
Here’s a quick GDPR implementation checklist for SMEs to aid them in their preparation for GDPR and minimize their internal disruption:
- Map the data: Map the entire personal data (name, address, Phone number, IP address, etc) and sensitive data (biometric details, banking details, religious /political views) which are coming to your organization. Document them and check who has the access to the data, how it’s been processed and whether it is prone to hacking or not.
- Consent: Under GDPR the consent needs to be specific, clear and explicit and any unambiguous consent (like the one taken through pre-ticked boxes) isn’t acceptable under GDPR. So, evaluate whether for processing data you are relying on consent or not. It’s better to avoid counting upon consent unless it’s essential.
- Security measures: Review your security measures and policies; put them in place to comply with the conditions of GDPR. Moreover, use encryption while data processing; this will help you evade hefty penalties in case of data breaches.
- Access request: Start preparing your organization to entertain access requests of users within one – month time because users have been given exclusive rights to access, alter or delete their data under GDPR.
- GDPR program and training employees: Kick off a GDPR program in your organization to update executives about the changing data protection laws. Moreover start a training program for your employees too; educate them about what’s considered as personal data breach and how to identify it. Instruct them how to quickly report data breach (within 72 hours) to the official authority and consult their DPO in case of a mistake.
- Supply chain: Review your supply chain and make sure all of your contractors and suppliers are following GDPR. This is essential because negligence on their part regarding data protection can land you in trouble.
- Fair processing notices: You should create fair processing notices for your consumers; these will contain details of what you will be doing with the users’ data. Don’t forget to check what sort of personal information is essential to be kept and remove all unnecessary data you have which isn’t beneficial to avoid any problem in future.
- Data protection officer: Check whether your organization is in need of a Data Protection Officer (DPO), if yes, then immediately appoint one for better management of users’ data.
- May 14, 2018