The EU’s General Data Protection Regulation (GDPR) is the result of four years of work to bring data protection legislation into line with the way data is used today. It’ll apply to all businesses from 25th May 2018, and from this point, everyone must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
GDPR will also give consumers the right to ask companies holding data about them to delete it at any point during their connection with them. It gives them the right to ask for a copy of their digital data too, so they can send it elsewhere if they choose to.
It’s time to prepare. It’s a complex law, and one all businesses need to start reviewing so that they’re hitting the ground running next year.
What you need to know
- Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered
- When certain data is to be processed about customers, companies will have to first review the risks to their privacy
- The definition of personal data is often the subject of debate. It’s defined in the GDPR as: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”
- There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web.
- The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds
What you need to do
The transition might seem overwhelmingly full of complexities, but you can make it seamless by getting organised now. Here’s how:
Make sure that everyone in the company knows what the GDPR is, how it will impact their work, and the serious consequences there’d be for the company if it isn’t adhered to.
Think about the information you store
Get to grips with precisely what information your business holds about people, or regularly asks for. Ask:
- What is the information you have today which will be subject to the new regulation?
- Where is this information stored?
- Who has access to it internally and externally?
- How can it possibly accidentally or maliciously leave the organisation?
Start ticking every box
There will be frequent checks that companies are meeting the standards laid down in the GDPR, and so right now consider assigning the responsibility to someone in your company who can oversee all demands are met.
Privacy by design
Once the GDPR is rolled out, customers will have to opt-in rather than opt-out of data collection. The commission don’t want privacy to be an add-on to processes, more the driving force behind them. So begin to work like this now if you don’t already. The earlier developers can implement privacy-friendly practices the more they can lower risks, and reduce costs of compliance.
Develop a clear policy, and start using it
The GDPR requires that you not only create policies that meet its mandate, but that you put it into action thoroughly and can prove you’ve done so – there’s no option to pay lip service to this.
We welcome all developments that make the web a better and safer place, and we’re fully supportive of the GDPR. If you’ve got any questions about how we’ll be helping clients ensuring security and privacy for their customers, just get in touch.