Who owns customers’ personal information and how organizations use and manage it?
The debate has been raging for years, but the newly-enforced General Data Protection Regulation (GDPR) in the European Union (EU) has turned the tables, putting customers in the driver’s seat. Launched on May 25, the new law gives EU citizens much stronger and better control over how, when and where their personal information is used.
If you’re running a business in the US, you may be wondering how GDPR affects you. While GDPR applies primarily to EU-based organizations, it also impacts businesses anywhere in the world that may deal with personal data of citizens residing within the EU member states. Basically, any company with an online presence should know about GDPR and compliance around the new regulation.
Through this short guide, we’ll arm you with the basics of GDPR and offer a few tips to become GDPR-complaint.
What Is GDPR?
General Data Protection Regulation is comprised of 99 articles, framing the obligations of business entities with respect to the protection of individual rights of EU residents as they relate to customer data online. The regulation also demands that any data exported outside the EU needs to be protected and regulated. In other words, enterprises will have to be GDPR-compliant if they wish to access, store, or share personal data of European citizens.
The legislation, according to the EU’s GDPR website, aims to harmonize privacy laws, enabling higher data protection measures that provide greater rights to individuals.
An Individual’s Rights Under GDPR
The following are the protective rights for individuals under the GDPR, which provides them more control over their personal data:
Right to be informed – A person has the right to be informed about how their personal information is being collected and used.
Right to access - Every user has the right to access their personal data being used and get an electronic copy of the same, which the website owner must provide free of cost.
Right to rectification – The user has the right to rectify any incorrect or incomplete personal data.
Right to erasure (or Right to be forgotten) – As per this, the user has the full right to leave a website and have their personal data deleted anytime.
Right to restrict processing – The user can restrict or suppress their personal data, which prohibits the company from processing or using the data.
Right to data portability – This gives users the right to transfer or download and reuse their personal data for their own purposes.
Right to object - Every user has the absolute right to prevent their data from being used for direct marketing or any other purpose.
Right to be informed about data breaches - The company must notify customers if a data breach has happened within 72 hours of knowing about the breach.
Rights related to automated decision making – It gives user the right to refuse being subject to a decision made by automated means, without any active human involvement.
What Information Does GDPR Cover?
GDPR applies to the following information of an individual or any other data that makes a person identifiable:
- Date of Birth
- Mobile number
- Email address
- Physical address
- Location data
- Social security number
- Profiling, sales and analytics data
- Web-based data, such as IP address, cookies, user location, and RFID tags
Besides the above list, GDPR also applies to sensitive personal data, such as:
- Genetic and HIPAA (Health Insurance Portability and Accountability Act) data
- Sexual orientation
- Ethnic data
- Political and religious beliefs
- Behavioral data
- Financial data
- Biometric data
Record of Compliance Progress
Businesses will have to maintain a log of data security risks, and the measures taken to minimize or eliminate those risks. This Record of Processing Activities, or RoPA, is required under Article 30 of the GDPR, which focuses on risky programs and applications that make user data vulnerable.
To tone down fraudulent activities, GDPR encourages storing of compliance logs on a distributed ledger like Blockchain, where records cannot be manipulated or altered. Though, this is not compulsory yet.
GDPR’s Effect on Social Media
While there aren’t any explicit changes in the way companies outside the EU will use these sites, it would be wise to make sure all of your marketing activities are accompanied by clear and specific privacy notices so your followers or audiences are aware of how you’re using their data. Again, even if you’re not conducting business in the EU, your digital footprint has the potential to reach an international audience.
What are the Consequences if Companies Do Not Adhere to the GDPR?
Failing to comply with the GDPR attracts penalties as high as 4 percent of global annual turnover, or €20 million (approx. $23.4 million US), whichever is higher. Since the May 25 launch of GDPR, tech giants Google and Facebook are facing a collective $8.8 billion lawsuit filed by Austrian privacy campaigner Max Schrems for violation of GDPR pertaining to opt-in/opt-out clauses. The privacy campaigner alleged that the way Google and Facebook obtain consent asking to check a small box, leaves users with no choice. If users do not choose "I accept", they are denied services — a clear violation of the GDPR.
Tips to Stay GDPR-Compliant
- Understand the types of personal data your business is dealing with, how this data is sourced, and where it is stored.
- Make sure your consent process is specific and transparent. Whether a user agrees to share personal data with your company or not needs to be spelled out loud and clear in the opt-in form.
- GDPR gives users the right to request for data access and fair processing notices. Prepare to fulfil these requests.
- Your users should also know how to withdraw consent or remove personal information from your database at any time.
- Review the data protection and security policies of your company and make them GDPR-compliant.
- Using encryption is recommended to protect your business from data breach, and the hefty fines associated with it.
GDPR may seem difficult but it isn’t necessarily so. Especially if you’re trying to make your organization more customer-centric (and you should), GDPR-compliance reflects your efforts to protect your customers. That’s a terrific USP that can add tremendous value to your business.