The GDPR Explained
An overview on what the General Data Protection Regulation encompasses
Come May this year, the 63rd edition of the annual Eurovision Song Contest won’t be the only thing causing a splash in Europe. Along with welcoming the new king or queen of kitschy European pop music, EU citizens will also be welcoming a new regulation that promises to protect their personal data — the GDPR.
Just think about everything you do online that requires you to exchange personal information. Whether it’s online shopping, using social media, or communicating with your colleagues about project work on Zenkit — you do all this without giving it a second thought. But have you stopped to think about where exactly all your data goes, and whether or not it’s being handled in an ethical manner? The GDPR aims to ensure your data is always protected. In this article, we’ll uncover what it actually means, and delve into its impact on individuals and businesses.
What Is GDPR?
GDPR stands for General Data Protection Regulation. It is the European Union’s new regulation that safeguards the personal data of individuals in the EU, as well as the export of personal data. This means that it doesn’t just affect the European continent, but also businesses around the world that deal with information of European citizens. At the time of writing, the GDPR also includes the United Kingdom (UK), despite recent Brexit changes.
The GDPR defines ‘personal data’ as: “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
The purpose of the GDPR is to ensure that the privacy of EU citizens is protected. It is to provide new ‘digital rights’ to consumers and to secure consequences for the misuse of sensitive information. To summarize:
“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.”
The GDPR was approved by the EU Parliament on the 14th of April, 2016, and after a two-year transition period, will take full effect on the 25th of May, 2018. It replaces the outdated Data Protection Directive, which has been in force since December 1995. Once implemented, it will mean that businesses will have to comply with the new regulations or risk heavy financial penalties.
Why Is the GDPR Necessary?
The current directive has been in place since 1995, which means that it has been 15 years since regulations have changed. Technology has since evolved and impacted our lives massively, to the point where we rely on the internet to achieve everyday tasks. Over 1 billion users actively use social media daily, and things like banking, renewing licenses, and even trying to find love are now done online. Imagine all the personal data that’s involved. And now imagine if that got into the wrong hands.
Along with a digital economy, concerns over privacy issues have also developed over the years. This is due to a lack of transparency of where personal information goes, and what businesses do with it once consumer details are processed. Also, add target marketing to the mix — consumers don’t want to be inundated with emails, phone calls, and letters about things they didn’t sign up for. They know that they are being targeted due to a newsletter they signed up for aeons ago that was slightly related to that subject. Consumers want to avoid this, so much so that a research study of more than 2,400 UK consumers reveals that they are purposely providing false details to brands as a means to protect their privacy and to avoid unwanted marketing.
The GDPR is necessary as an updated and revised regulation that meets the increasing demands of evolving technology and is needed to ensure personal data protection. Consumers have the right to know what their data is being used for, and how it is being processed.
To quote Vera Jourova, Commissioner for Justice, Consumers, and Gender Equality, “In today’s world, the way we handle data will determine to a large extent our economic future and personal safety. We need modern rules to respond to new risks, so we call on EU governments, authorities and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day.”
As well as providing an updated amendment to laws and policies, the GDPR is also an attempt to create stronger and more unified data protection that will bring together all previous and other regulations throughout the EU. This regulation will be consistent throughout all 28 EU member states and is designed to simplify the regulatory environment.
So, What Does This All Mean?
There have always been laws protecting the privacy of citizens within the EU, but this proposed new regulation will see privacy as a fundamental right. This means that businesses that fail to comply will face severe penalties.
Every EU-based company, from startups to larger corporate enterprises, that has businesses dealing with EU data will have to prepare for the GDPR. This means revising, updating, and amending their policies, privacy notices, and business protocols to satisfy the requirements addressed in the GDPR. The implementation of the GDPR could also mean that businesses may have recruited a data protection officer (DPO) so that they have someone formally placed to oversee protection strategies and ensure compliance with the new requirements.
What this also means is that there will be considerable consequences for non-complying companies, as previously mentioned. Those who fail to adhere to the GDPR’s new requirements face fines of up to €20,000,000 or 4% of the business’s annual global turnover.
What Are the Key Changes of the GDPR?
The GDPR is an updated and revised directive. It has been updated to include standards that are relevant to the nature of personal data processing today. Here’s an overview of the GDPR key changes, including data subject rights:
One of the biggest changes in the GDPR is the extended jurisdiction of the regulatory landscape. Prior to the proposed regulation, there was ambiguity surrounding territorial applicability, and it wasn’t clear whether it also applied to companies that weren’t physically located in the EU, however, dealt with EU business. The GDPR makes it explicitly clear that it applies to ‘the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.’ It also applies to data subjects that have activities relating to or offering goods and services to EU citizens.
GDPR fines are faced when businesses and organizations breach regulation, which includes infringements such as not having sufficient customer consent for processing data. Fines will be arranged in a tiered structure and will apply to both controllers and processors. The maximum fine that can be imposed will be the greater of €20,000,000 or up to 4% of annual global turnover.
Circumstances surrounding consent have been strengthened to ensure consumers are not unknowingly allowing businesses to process their data. Companies will now have to provide a request for consent in legible and accessible language. This means no more lengthy, unintelligible terms and conditions that the average consumer will have difficulty understanding. Consent must be apparent, and it also must be easy to give and withdraw it.
GDPR Data Subject Rights:
In all EU member states, breach notifications will be required, especially where it is inclined to ‘result in a risk for the rights and freedoms of individuals.’ They must be reported within 72 hours of first becoming aware of the breach, and customers and controllers will be notified by data processors.
Right to Access
Under the GDPR, data subjects (consumers) will have the right to request information from data controllers about whether or not their personal data is being processed, its whereabouts, and the purpose for it. Data controllers must also provide a copy of the personal data, free of charge, upon request.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten means data subjects are entitled to have their personal data removed or stopped from being processed by the data controller. Conditions for erasure include the data no longer being relevant to its original intentions, or the data subjects simply wanting to withdraw consent.
Data portability allows the data subjects to receive personal data regarding them, and have the right to send that data to another controller.
Privacy by Design
Part of a legal requirement under the GDPR, privacy by design entails controllers having to ensure that data protection is considered and included from the very beginning of system design as opposed to being an addition. It also states data minimization, which refers to controllers only holding and processing data that is absolutely necessary for them to complete their duties and restricting the access to personal data to only those who do the actual processing.
Data Protection Officers
According to the GDPR, employing a DPO will become mandatory for businesses where the main activities for their controllers and processors require ‘consistent and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.’
So, How Will the GDPR Impact Individuals?
As a consumer, the implementation of the GDPR will mean that you have more control over your personal data. You get to choose what businesses can and cannot do with your information, as well as retract any data if you feel that it is no longer necessary for a particular brand to still hold and process it.
Along with control, transparency of your data will also be a huge effect of the GDPR. Consumers may start to notice how businesses collaborate with them when it comes to their personal information. Gone will be the days of confusing privacy notices that are so long in length that only a superhuman will have the time and effort to finish reading them. From here on in, any language regarding your personal data will have to be in plain and simple text.
The introduction of GDPR fines signifies that consumer rights must be, and will be, maintained. This means that anyone working with personal data, be it a data controller about to undertake new processing, or a web developer designing a new system, will have to consider the rights of the consumer, and proceed only if their activities and/or actions satisfy the new requirements.
There may be a few consumers out there that may not want to control or know about their data. But what the GDPR offers is the option to do so, something that was lacking in previous regulations. By having such transparency and control available, even if it is not exercised, consumers may start to regain their trust in businesses and organizations that obtain and process personal data.
And How Will the GDPR Affect Businesses?
Despite what some people may think, preparations for the GDPR are not exclusively for the IT department — it is an issue that will impact the whole business. From the marketing and communications team who will propose new terms and conditions, to the sales team who’ll need to know how their company complies when meeting potential customers. If yours is a business that operates within the EU or with EU individuals, then it is something that you have to keep on top of in order to stay relevant and competitive (as well as operating) in this digital economy.
How Can I Ensure That My Company Is GDPR Compliant?
While there is no single solution to make a business or organization GDPR compliant, there are certain things that it can do (if it hasn’t already) to ensure it’s proactive in handling and protecting consumer data. Here are our tips:
Provide information and training
Educating your employees on the ins and outs of the GDPR is an imperative step to take toward company-wide compliance. Encourage your staff and colleagues to understand how GDPR will affect them as an employee of the business, as well as consumers. Make sure they are aware of the consequences and risks involved if the requirements are not followed through, and that compliance is a team effort. Training can be provided through an outsourced expert, or by nominating someone in the team who has read up on their fair share of GDPR articles.
Conduct a data audit
Start by mapping out on a spreadsheet where all the personal data that your business collects comes from. Then record how it is being processed and used. Make sure you also include the people who can access the data and whether or not said data poses any risks. Once you record and analyze all the personal information, you can then start to minimize the data, because there is no point in having it there if it does not benefit your company in any way (as the saying goes, it’s better to be safe than sorry!). Determine what you need to keep and whether it’s better off erased or encrypted.
Establish security measures
Reporting data breaches is part of GDPR policy, which means that your company must have standards in place so that any loss or breach of data can be reported within 72 hours. But, of course, what is more ideal is to prevent any breaches from happening in the first place. Develop and implement security measures throughout your systems to help avoid any data mishaps. Also establish a plan of action that will highlight how to notice a loss or breach of data, and the steps to take to report it.
Ensure documentation is in order
GDPR states that consumers must explicitly consent to the processing and use of their personal data. This may mean that any pre-checked boxes or automated answers on forms and questionnaires may not be acceptable anymore. Do a major review of all privacy statements and disclosures, and adjust accordingly.
Hire a Data Protection Officer
While not a compulsory thing for every business, having a DPO on board will ensure that your business has an expert on hand to provide information, education, and training for anything to do with the data protection laws and its practices. For businesses who don’t have the budget to splash out on a fancy DPO, an alternative solution can be to appoint a staff member to be fully trained in GDPR and for them to impart their wisdom to the rest of the company so that no one misses out on being prepared and well-informed.
The thing to note about the GDPR is that while at first glance it may seem to only benefit consumers, there are benefits in it for businesses as well. Yes, businesses will have to do a lot more once the regulation is implemented, and there may be challenges to overcome in terms of reviewing processes, auditing data, and educating staff members, but the introduction of the GDPR can present an opportunity. Businesses who demonstrate that they value their customers’ privacy, and are taking precautions to ensure that their personal data is not being exploited have a higher chance of retaining more loyal customers. As a consumer, you are more likely to proceed with a brand that is transparent about how they utilize your data as opposed to one that keeps it hush-hush, right?
The essential aim of the GDPR is to ensure the privacy of EU citizens is protected and that businesses don’t misuse personal data. While we may get off to a tricky start, the consistency of the GDPR throughout the member states intends to create a harmonized data protection regulation — if we succeed at this, then catchy, kitschy pop music will not be the only thing Europe will be known for.
The 25th of May, 2018 is not too far away now, so if your business hasn’t already started taking the steps to prepare itself for the GDPR, well, you better get a move on! For those who have already started making changes, don’t forget to share your tips on how you got started.
Dinnie and the Zenkit Team