The Ultimate Guide to General Data Protection Regulation (GDPR) – Volume I

Over the past couple of weeks, our email inboxes had flooded with emails from businesses and organizations with a subject line ‘updates to our privacy policy’. Companies from Google to Slack, Medium, and Uber etc updated their terms, rewriting contracts, and rolling out new personal data tools as part of the massive shift to the legal landscape.

In other words, these four letters have showcased a huge impact and caused an uproar among European businesses.

It has been found that 80% of businesses know only a few details or nothing about GDPR, according to a study conducted by Dell and Dimensional Research. The company has conducted a global survey on the European Union’s new General Data Protection Regulation (GDPR) and revealed that both SMBs and large enterprises are not aware of the requirements of the new regulation, how to prepare for it, and the impact of non-compliance on data security and business outcomes.

The outcomes of the survey are:

•    More than 80 percent of companies say that they are not prepared for GDPR and knew only a few details
•    One in three companies feel they are prepared for GDPR today
•    More than 75 percent of respondents outside Europe say they do not know if they are prepared for GDPR
•    Nearly all companies (97 percent) don’t have a plan when GDPR kicks off in 2018. Only three percent of these respondents have a plan about GDPR for readiness

So, if you are not aware of GDPR, then hefty fines and penalties await.

Here is everything you need to know about GDPR:

The Birth of GDPR

GDPR stands for General Data Protection Regulation.

EU GDPR (European GDPR) is a new set of rules designed to give more control to European Citizens (EU) on their personal data. Businesses are required to protect EU citizens’ personal data within EU member states.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, and updates on social networking websites, location details, medical information, or a computer IP address.

Companies related to the banking sector, insurance, and other financial companies are required to update their company’s rules and privacy policies.

The primary objective of GDPR is to simplify the regulatory environment so that; both citizens and businesses in the European Union can fully benefit from the digital economy.

GDPR will apply to all companies that store personal information about citizens in Europe, including companies on other continents.

When does GDPR come into force?

In January 2012, the European Commission had set rules for data protection across the European Union to make Europe ‘fit for the digital age’. And, four years later, a two-year preparation period was given to businesses by the authorities.

On April 27th, 2016, the European Parliament and the European Council adopted the GDPR, replacing its outdated Data Protection Directive, enacted back in 1995. According to this directive, each of the twenty-eight members of the EU is allowed to adopt and customize the law to the needs of its citizens. In this instance, GDPR allows all 28 EU countries to comply with these set of rules. This new EU framework applies to organisations in all member-states and has implications for businesses and individuals across Europe, and beyond.

The major aim of the European Commission and the European Union is to build solid common standards for data protection in a way that people can ensure their personal information is safe.

As of 25 May 2018, all organisations are expected to be compliant with GDPR.

Exploring the GDPR
There will be 99 articles included in the GDPR set of rules that talk about the obligations placed on businesses (subject to the regulation) and rights of individuals. So, this regulation will affect firms both inside and outside of the EU. In other terms, organizations dealing with European Citizens, businesses, and residents must and should comply with the GDPR.

For example: If a U.S. company is doing business with other customers in the UK, the company is still required to comply with GDPR because of the European data being involved, although the company is located in the U.S.

These set of rules will harmonize European data privacy laws providing rights to individuals and greater protection.

What is GDPR compliance?

Any organization or individual might face data breach in their lifetime. Data may get misused, stolen, and mishandled who often have malicious intent.

In this case, under the terms and conditions of GDPR, not only companies have to ensure that personal data is gathered legally under strict conditions, but it is necessary to maintain privacy who collect and manage from misuse.

Violating GDPR compliance will make organization to face hefty fines and penalties. Overall, the major aim of EU GDPR is to respect the rights of data owners.

GDPR compliance deadline:

The new rules must go into effect on May 25th, 2018. All organizations are expected to be compliant with GDPR hard deadline.

Impact of EU GDPR on your Business

Businesses will receive the following significant changes:

•    Gathering of personal data will become broader, i.e. besides acquiring a name, contacts, financial and medical information, it also includes IP addresses.
•    User consent gets trickier. Businesses should have a lawful reason to get and store personal data. You should include permissions for every data processing.
•    Businesses must maintain data processing documentation and keep records of the time, the user consent was obtained. Companies must defend user reports on all processing activities.
•    Data breaches must be reported within 72 hours. You will need to monitor data security and communicate even the small violations to the national data protection regulator or the user.
•    Businesses must ensure the functionality to erase user data or transfer it to other services upon request.

By introducing the GDPR, the European Commission predicted that the businesses might witness benefits. With the implementation of the new set of rules (GDPR), nearly €2.3 billion per year can be saved across Europe.

Businesses may safeguard the data of their users. Adapting these rules, companies are allowed to use techniques like 'pseudonymization' in order to benefit from collecting and analysing personal data, while the privacy of their customers is protected at the same time.

GDPR is Applicable to:  (Who does GDPR apply to?)

GDPR is applicable to any organization operating within the EU and organizations outside of the EU that offer services and goods to customers/businesses in the EU. So, major organizations across the globe are required to start working on new GDPR compliance strategy.

Does GDPR Apply to US Companies?

According to EU GDPR directive, GDPR applies to EU companies, EU citizens. Beside this, it also applies to any company that does business in the EU or outside the EU with EU citizens. This may include any online business that owns a website that is accessible by EU citizens if that website collects user data.

Gathering personal data includes cookies, biographical information or current living situation, religion, Workplace data and information about education, including salary, tax information, religion, political opinions and geo-tracking data etc.

In simple terms, GDPR applies to all companies that do business with personal based data in EU member states or data of EU Citizens.

In an online context, the GDPR will be relevant if:

 You have a strong internet presence in the EU (even if you do not sell directly into the EU)
 You are an e-commerce company that accepts EU currencies and/or has an EU domain suffix (such as .co.uk, .fr, .de, etc.)
 You have any EU visitors and you conduct personalization on your website.

To continue to do business in the EU or with EU Citizens, most US companies must implement additional privacy protections and adopt end-to-end data protection strategies.

What does GDPR mean for consumers?

Over the years, there are several data hacks on the internet, be it an email address, password, social security number, or confidential health records etc. With GDPR coming into existence, consumers or citizens are provided with a ‘right to know’ when their data has been hacked. Consumers can easily access their own personal data of how it is processed.

Consumers, who no longer want their personal data processed to have it deleted, can also get the benefits of additional rights and freedom. Implementation of GDPR made organizations to keep these consumer rights in mind.

Under the GDPR, individuals have:

a) The Right to Access: Individuals or citizens have the right to request access to their personal data and ask the companies, how their data is used after it has been gathered. If an individual requests, company must provide a copy of the personal data, for free of charge and in electronic format.
b) The Right to be Forgotten: If a consumer is no longer a customer to a particular company, then, the consumer can request to delete his/her personal data from the company records.
c) The Right to Data Portability: Individuals have a right to transfer their data from one service provider to another. And, it must happen in a commonly used and machine-readable format.
d) The Right to be Informed:  If a company gathers data, individuals must be informed before data is gathered. Consumers have to opt-in for their data to be gathered, and approval must be freely given rather than implied.
e) The Right to have Information Corrected: This includes individuals will have a right to update the data if it is out of date or incomplete or incorrect.
f) The Right to Restrict Processing: Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
g) The Right to Object: Individuals will have a right to stop the processing of their data for direct marketing. Companies must process the requests as soon as it was received.  In addition, this right must be made clear to individuals at the very start of any communication.
h) The Right to be Notified: The individual has right to be informed within 72 hours, if there has been a data breach compromising an individual’s personal data.

Criteria Needs To Be Met by Companies:

It is clear that the companies that store or process EU citizens information within EU states must comply with the GDPR, even they do not have a business presence within the EU.

Companies are subject to GDPR if:

(1) The business has a presence in an EU country;
(2) Even if there is no presence in the EU, the company still processes personal data of European residents;
(3) There are more than 250 employees; and
(4) Even if there are fewer than 250 employees, the data-processing impacts the rights and freedoms of its data subjects

How to Comply with EU GDPR?

Here are the tips, best practices, and strategies to help organizations to address GDPR requirements and avoid non-compliance consequences.

a)    Hire a Data Protection Officer (DPO): Hiring a Data Protection Officer (DPO) helps your company to ensure processing of company’s customers, staff, employees, providers or any other individuals data is in compliance with the applicable data protection rules.
b)     Ensure Email Security: To fulfill GDPR requirements, companies must achieve full control and visibility over email activity to avoid other email-based attacks on protected information.
c)    Deploy Safety Perimeters: To reduce the network’s exposure to cyber threats, companies can deploy next-generation firewalls. These next generation firewalls protect against emerging threats and feature deep packet inspection; real-time decryption and inspection of SSL sessions; adaptive, multi-engine sandboxing; and full control and visualization of applications.
d)    Deploy a firm access governance solution: The ability to govern access to applications that allow access to EU citizens’ personal data, particularly unstructured data - is a major factor in data security and GDPR compliance.

GDPR fines and penalties for non-compliance:

If a company fails to comply with GDPR guidelines, it results in a fine ranging from 10 million Euros to four per cent of the company's annual global turnover, a figure which for some could mean billions. Fines will depend on the severity of the breach, if a company is supposed to have taken compliance and regulations around security in a serious manner.

The European Commission will penalize 20 million Euros or four per cent of worldwide turnover for infringements of the rights of the data subjects, unauthorized international transfer of personal data, and failure to put procedures in place for or ignoring subject access requests for their data.

Companies which mishandle data in other ways will be penalized 10 million Euros or two per cent of worldwide turnover.

Preparations for GDPR-Compliance

A key component of the GDPR legislation is ‘privacy’. To be compliant with GDPR, a company must consider many things.

Here are just a few ways to get started or prepare for GDPR-Compliance:

1) Map your Company’s Data
Companies must map all of the personal data received and make a document what the organization will do with data. Identify where the data resides, who can access it and if there are any risks to the data. Besides complying with GDPR, it will also improve company’s Customer Relationship Management.

2) Follow more disciplined treatment of personal data
GDPR always encourage following a more disciplined treatment of personal data. Companies must gather information that is necessary and remove any data that isn’t used. You won’t be capable to do this in a GDPR world; if your company collects a lot of data without any real benefit.

Companies must ask questions themselves, such as:

•    Why exactly are we archiving this data instead of just erasing it?
•    Why are we saving all this data?
•    What are we trying to achieve by collecting all these categories of personal information?

3) Place security measures against data breaches
Implement protective procedures to avoid data breaches. This helps to place security measures against data breaches, and take quick action to notify individuals and authorities if a data breach occurs.

4) Review your Privacy Statements
Companies have to review privacy statements/policies and disclosures and adjust them wherever necessary.

5) Establish procedures for handling personal data
Companies must establish procedures to handle the personal data of consumers/citizens. This helps to solve a problem easily if a data breach occurs.

Do’s of Organizations (Based on GDPR):

According to GDPR, organizations must:

•    Only process data for authorized purposes
•    Ensure data accuracy and integrity
•    Minimize subjects’ identity exposure
•    Implement data security measures

Bottom-line:

In business, data plays a significant role and besides creating challenges, GDPR creates opportunities also. Companies who value their consumer/customer data or privacy, who are transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle, will definitely build deeper trust and retain more loyal customers.

Businesses are required to dedicate time to update privacy policies to become compliant and use the practical tips that are discussed in this article, which will help you to get started easily.

Create a plan of action for your journey to GDPR!