Photo by Etienne Girardet on Unsplash
Every aspect of our lives revolves around data. Almost every service we use today involves collecting and analyzing our data, from social media companies to banks, retailers, and governments. Our name, address, credit card number, and other data are all collected, examined, and stored by other organizations.
Customers could be carelessly offering themselves to hackers and scammers, but thanks to GDPR, which has mediated how businesses and other entities process and handle data.
But what is GDPR, and how does it affect you as a business owner and customer? Let's take a look at the GDPR definition.
GDPR stands for General Data Protection Regulation. It is implemented by the European Union to protect their member states from unnecessary and unethical exploitation of their information.
In simple terms, the General Data Protection Regulation (GDPR) is a new set of rules created by the European Union to give citizens more control over their personal data. It is intended for streamlining the regulatory environment for business, so both citizens and companies in the EU can fully benefit from the digital economy.
The purpose of general data protection regulation is to protect natural people's fundamental rights and freedoms in particular to their personal data.
Along with its implementation comes a complementary set of requirements for all entities doing business with EU countries and citizens.
GDPR does not only affect countries within Europe. The General Data Protection Regulation applies to those businesses and organizations worldwide operating within the EU and outside of the EU, which offers goods or services to customers and companies within the EU.
This means that all entities marketing to the EU need to comply with the GDPR policies. Although coming from the EU, GDPR can apply to businesses that are based outside the region. So, if a company in the US does business in the EU, then GDPR can apply.
Data can get lost, stolen, and released into the hands of people with malicious intent. Therefore, the EU has strictly implemented rules and regulations that businesses have to follow to protect their constituents.
With the GDPR, organizations not only have to ensure that personal information is collected legally and under strict conditions but also obliged them to protect it from misuse and respect the rights of the owners. Else, face penalties that could significantly hurt their business.
If you process data, you have to abide by the protection and accountability principles of GDPR outlined in Article 5. Here are the seven general data protection regulation 2018 principles.
There are two types of data-handlers the legislation applies to. They are the GDPR data processors and GDPR data controllers.
GDPR data controller is a legitimate individual, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing the personal data of which the purposes and means are determined by Union or Member State law.
GDPR data processor, on the other hand, is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. It processes the data that the data controller provides. It is the third party the organization has chosen to work within the collection and processing of data.
Under GDPR, processors have a much higher level of legal liability should the organization be breached.
All information that identifies an individual, directly or indirectly, is considered to be personal data.
The personal data in GDPR can be apparent, such as the person's name, address, phone numbers, and credit card information. It could also be sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health information, and other sensitive data that could be processed to identify an individual uniquely.
But not only that, but personal data in GDPR also extends its coverage to less obvious information such as IP addresses and cookie identifiers.
In January 2012, the European Commission set out plans to reform the data protection policy across the European Union to cope with the digital age, and one of its main components is the introduction of GDPR, which would apply to all organizations in all member-states, businesses and individuals alike, across Europe and beyond.
After four years of preparation and debate, the European Parliament approved the GDPR in April 2016 with the official texts and regulation of the directive published in all of the EU's official languages in May 2016.
The General Data Protection Regulation then came into force on the 25th of May 2018, requiring all organizations to comply with the new European Union regulation.
GDPR is a game-changer in the field of data regulation. It provides customers options to how they give off their data and protection regarding their personal information.
With GDPR's rules, it gives the customers ease when it comes to disclosing their personal information. Customers are promised easier access to their data and are also informed about how their data is used.
Furthermore, customers are given the freedom of whether to opt-in or opt-out of the system or database. GDPR brings a clarified 'right to be forgotten' process, which provides additional rights and freedoms to individuals who no longer want their data to be deleted from other's systems.
Customers are also given the right to know when their data is hacked. Organizations are required to inform the appropriate supervisory body as soon as possible to ensure EU citizens can take proper measures to prevent their data from being abused.
GDPR has required all entities to report certain types of data breaches that involve unauthorized access or loss of personal data.
In case of a company losing data, be it as a result of a cyberattack, human error, or anything else, the company is obliged to deliver a breach notification to the people affected and to the supervisory body.
Companies and other organizations are obliged to report any breaches that will probably bring danger to the customers' rights and freedoms, lead to discrimination, damage customer reputation, loss of finances, loss of confidentiality, or any other economic or social impediment.
In other words, if the customer's name, address, date of birth, health records, bank details, or any personal data is penetrated maliciously, the association is required to tell those affected, as well as the relevant regulatory body, to lessen or prevent the damage.
The breach notification must be delivered directly to the victims. It must not be communicated only in a press release, on social media, or a company website, but must also be a one-to-one correspondence with those affected.
A possible data breach must be reported to the relevant supervisory body within 72 hours after the organization becomes aware of it. If the breach is severe, the public must be notified as well, and customers must be made responsible without undue delay.
The notification must include approximate information about the breach, including the data categories, the number of individuals compromised as a result of the incident, and the approximate numbers of personal data records concerned.
The organization is also required to describe the potential consequences of the data breach, such as theft of money and identity fraud, and a description of the measures being taken to deal with the data breach and counter any negative impacts faced by the customers.
The contact details of the data protection officer also need to be provided for customers to approach further questions regarding the data breach.
Not every data processor or controller needs to appoint a Data Protection Officer (DPO). You are only required to establish a DPO with the following conditions:
If you are a public authority other than a court acting in a judicial capacity
Your business requires you to monitor people systematically and regularly on a large scale
Your business is large-scale, processing information relating to particular categories mentioned under Article 9, which are data relating to criminal convictions and offenses mentioned in Article 10 of the GDPR.
But you can choose to designate a DPO even if you aren't required to as there are benefits to having someone in this task. Your DPO can significantly help your organization understand the GDPR law, advising people in the organization about their responsibilities, conducting data protection training, conducting audits, and monitoring GDPR compliance.
Fines depend upon the severity of the breach, whether the business or organization has seriously taken GDPR compliance. Failure to comply with the GDPR law may result in a fine starting from 10 million euros to 4% of the company's annual global turnover.
A lower fine of 10 million euros or 2% of the worldwide turnover is applied to companies that mishandle data in other ways such a:
The maximum fine of 20 million euros or 4% of the worldwide turnover, whichever is bigger for:
A total of 160,921 personal data breaches have been reported from May 2018 until January 2020.
However, despite the reported personal data breaches, GDPR has so far issued fines a bit over €175 million.
The largest GDPR fine so far is €50m issued to Google, Inc in January 2019, after concluding that the search engine giant was breaking GDPR rules with regards to the transparency and having a valid legal basis when processing people's data for advertising purposes.
It's likely that many more fines to come this 2020 as supervisory authorities across Europe are staffing up their enforcement teams to investigate thousands of cases.
To comply with GDPR guidelines, you have to assess the current data systems, policies, and procedures. Be aware of the kind of data you can collect and how it should be stored.
As a business owner, be informed of the software and technology available to protect customers' data. Review the current data-related guidelines, including encryption, remote access, sensitive information, and data breach. Consider requesting a third-party data security company to carry out an objective evaluation.
Moreover, identify risks and gaps to meet the GDPR requirements, then research solutions to prevent those risks or fill those gaps. Also, educate your staff about GDPR guidelines and the importance of following the guidelines.
Lastly, assign a data protection officer even if not required to your organization as this will ensure proper monitoring of the collection and storage of personal data and strict compliance to GDPR policies.
In a nutshell, GDPR is the strictest data privacy law imposing authority on organizations worldwide though it was drafted and passed by the European Union.