The General Data Protection Regulation (GDPR) is a regulation which is made to protect customer data with strict rules and guidelines for companies which work around customer data. The regulation stands for the rights of consumers regarding their data. It is intended to boost and unify data protection for all EU (European Union) citizens. It also acts as a watchdog to control export of personal data outside EU. As soon as GDPR will be implemented it will replace the Data Protection Directive of 1995. The DGPR was adopted by European Parliament, European Union and European Commission on 27 April 2016 and will be enacted on 25 May 2018.
Under the GDPR people of EU have several rights to be practised mentioned below
- Right to access: every EU resident will have the right to access his/her personal data and they can ask how their data is used by companies. If requested companies will provide a copy of their data free of cost.
- Right to be forgotten: if requested by an individual the company will have to delete the data of the individual.
- Right to Data portability: people can request for the transfer of their data from one company to another.
- Right to be informed: Consumer now enjoy the right to be informed under which they will be informed by companies at the time of data collection.
- Right to have information corrected: people now can update or make modification in their data in case if it is incorrect or out of date.
- Right to restrict processing: consumer can request that their data is not used for processing.
- Right to object: people can ask to stop the processing of their data for direct marketing. And the processing of data will stop the moment his request is received by the company.
- Right to be notified: In case of breach it is mandate for a company to inform the consumer within 72 hours of breach.
Which companies need to comply with GDPR?
- Companies which have presence in an EU country
- No presence in EU but which processes personal data of EU citizens.
- Companies with 250 plus employees
- Companies with less than 250 employees but which processes data of EU residents and its data processing impacts rights and freedoms of data subjects or includes any kind of sensitive data.
What type of Data will GDPR protect?
- Basic identity information such as name, address and ID numbers
- Political opinions
- Biometric data
- Racial or ethnic data
- Health and genetic data
- Sexual orientation
- Web data such as location, IP address, cookie data and RFID tags
What Impact will GDPR bring on Companies?
The GDPR puts consumer on the driver’s seat and the task of complying is on businesses. Any company which collect data of EU nations will be required to comply with the new rules of GDPR from next year which will demand a complete new setup from companies in order to abide by those rules. Even if a company offers goods or services to citizens of EU, then it is subject to GDPR.
The regulation will create some concerns and new expectations among security departments of every company. The requirements which change the way companies process, protect and store data. Personal data will then be portable from one company to another and could be erased upon request. Infact important thing now is that every company will be required to appoint a data protection officer and controller in order to take care of the compliance.
Another important part is consent, which is a one of the major developments of the GDPR. The consent of data subject will include an affirmative and free action. Moreover, many of the opt-out methods used by marketers till date will be of no use from May 2018 as they won’t be considered legal under GDPR.
It is good for companies to start preparing themselves for GDPR because noncompliance with GDPR can end up with penalty of 20 million euros or 4% of turnover. Nevertheless, a survey conducted by Varonis states that 75% of the businesses are finding it difficult to meet the deadline.
Few hints on how to get ready for GDPR?
- Appoint someone that will be responsible for complying with data protection requirements
- Set up all required internal processes that will allow your business to comply with the legal framework
- Identify the activities that involve processing data and analyze compliance ie: Website Visitor Tracking software.
- Keep yourself updated of any new data regulation and observe scrupulously the internal procedures
GDPR has brought challenges to businesses but at the same time it has provided opportunities also for businesses. Organizations which are keen at respecting individual’s privacy will be able to build deeper bond and retain more loyal customers. The deadline of May 2018 may seem like a long way but you will realise it will appear in front of you so start preparing your organization for GDPR. Utilize your time in understanding what changes and amendments will be needed to welcome the compliance. And once you are ready do not forget to run the practice drills in your organization in order to make sure your journey with GDPR will be a comfortable one and you conquer new grounds with GDPR.