The General Data Protection Regulation (GDPR) came into force in May 2018, with the primary aim of giving you more control of the personal data held by third-parties such as retailers. Any company that holds the mandate to aggregate, store, and process this data has a responsibility to take every measure to ensure compliance with the regulation and protect the data they handle.
Even as the conversation around GDPR compliance continues to be a hot topic, here are a few things to keep in mind.
The GDPR Only Applies To “Personal Data”
While your company may no doubt handle all data of all kinds, the specifics of the GDPR apply to what is defined as “personal data.” It is worth noting that the regulation seeks to expand the very definition of personal data in order to protect more data types.
As it were, there is room to change and expand this definite as and when may become necessary. Right from the name and email address to the IP address, any such information that’s specific to a person is, considered personal information according to the directive.
About The GDPR’s Reach
The GDPR is an official EU standard and has been implemented in the local data privacy laws across all the states in the region.
That it applies to data protection for all EU citizens, means that the burden of compliance falls to any business from around the world that has clients or partners from the EU.
The Regulation Is For Both Controllers And Processors
Compliance is not just for processors, or companies that directly see to the collection, processing, and storage of data. Any company that makes the decision on the collection, and use of this data, hereby identified as a “controller” in the language of the GDPR must follow the regulation.
In some instances, the controller and processor are the same entity, and other times, the processor is just a company outsourced by the controller. Whichever the case may be, both the controller and processor must follow the regulation.
Non-Compliance Will Attract Fines
You may face some hefty fines if you fail to comply with the GDPR. Exactly how much you pay in fines will largely depend on the severity of the data breach and the compliance actions you take in response to the breach.
Lower level offenses may attract up to £ 10 million or 2% of your annual revenue, whichever is greater. Higher-level offenses, on the other hand, will attract up to £20 million or 4% of your company’s annual revenue, whichever is greater.
The Regulation Covers Data Attacks
The strongest of best practices must be in place to ensure that data is protected from all sorts of data threats. According to the regulation, if a data breach or attack does happen, you have a responsibility to report the same to the proper authorities and in good time, which is within 72 hours of the data attack incident. Failure to do so will, again, attract fines.
Rights Protected Under The GDPR
Getting to the specifics of the GDPR, the regulation no doubt gives more control over collected personal data by protecting individuals’ rights to:
- Be Informed – Individuals must be informed of any data gathering and give their free consent to the same.
- Access data – Individuals have a right to request access to their data. If requested, the data handling company must provide a copy of this data in electronic format and free of charge.
- Transfer data – The right to data portability means that individuals can freely choose to transfer their data from one service provider to the next.
- Restrict processing – Individuals can choose to have their data remain in place but not be used or processed.
- Correct data – Individuals have a right to have their records updated to cover incomplete or incorrect details.
- Be forgotten – When individuals withdraw consent for the use of their data, or do not wish to continue using the services of a company, and it is their right to ask that all their data be deleted.
- Object – Individuals have a right to object to the processing of their data for any number of reasons, including its use for direct marketing.
- Be notified in the event of a data breach. The company must notify not only the relevant authorities but the individuals whose personal data they hold.
As with SOC, the GDPR aims at bringing about transparency into data handling. To protect your clients’ data privacy and avoid the hefty monetary fines, compliance is not an option. Anything that you should and can do to manage your processes and operations to ensure this compliance is, without a doubt, worth doing.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.