What is GDPR? The General Data Protection Regulation (GDPR) is an all-encompassing piece of privacy regulation put in place by the European Union in 2018.
The GDPR protects European citizens and residents from data misuse and abuse as well as careless data practices. It is the answer to the call for companies to be more transparent and accountable in their data practices.
It covers every aspect of working with data – from capture to erasure.
The GDPR concerns itself with accountability, transparency, and fairness. At the heart of the law is data minimization. In other words, you shouldn’t be collecting, using, or storing data that you don’t have a use for. And you definitely shouldn’t do those things if you don’t have consent from the data subject.
why GDPR was introduced
In today’s digital world, a frightening amount of personal information—banking information, contact lists, our IP address, documents, and social media feeds—is available online. Have we, as consumers, ever wondered how this data is collected, stored, and used? This is why in May 2018, a European privacy regulation called GDPR became mandatory for all businesses dealing with European citizens.
As a machine learning services and data entry services provider and a GDPR compliant firm, iTech briefly explains all you need to know about GDPR.
Are all companies GDPR compliant yet?
Dell and Dimension Research came out with surprising facts from their survey of 800 professionals responsible for data protection. It found that 80 percent of those surveyed have little or no idea of what is involved in the GDPR. Months after it became mandatory, 1 in 4 companies still has to work on becoming GDPR compliant. And it is not just smaller businesses but even many tech companies that are trailing in this. It is time to do a fast catch-up if you don’t want to pay hefty amounts.
Many companies beyond Europe, particularly in America as well as Asia, are setting up compliance programs. Whatever be your industry and wherever your location is, here is a summarization of what GDPR is and how it can impact your business and tips to get compliant.
Does GDPR Apply to You?
The GDPR applies to you if you collect data from EU citizens or residents, whom the law protects.
Even if you are not based in the EU nor pay taxes in an EU member state, you must still comply with the GDPR as long as you presently collector continue to store data from EU data subjects.
If you don’t wish to go through the compliance process, then you’ll need to block access to your site in the EU to avoid inadvertently collecting EU data.
Whether or not you need to comply, consider doing so anyway. Many of the GDPR principles are good business practice, and today’s internet users expect and demand a greater degree of privacy whether or not it’s the law.
Why businesses must get GDPR compliant?
Companies will have to review all their business processes and overhaul their sign-up forms.
For example, if you send a newsletter, you will have to prove that the customer explicitly opted for it. A blanket acceptance will no longer hold good for all user engagement. Also, businesses cannot deny customer service, such as making a website inaccessible because they did not accept the capture of their personal details.
Under the GDPR, individuals have eight fundamental rights
- The right to request access to personal data and know-how business is using it.
- The right to be forgotten is the right to withdraw consent and have their information deleted anytime. The responsibility is solely on the business to remove the data from all parties in the custody chain.
- The right to transfer allows the business to transfer data from one provider to another.
- The right to be informed is where the user knows before any data is collected.
- The right to know when the data is collected, and the user has full authority to update the information at any time.
- Individuals also have the right to restrict their data from being shared.
- They have the right to stop the data from being used for any direct marketing activity.
- And most important of all. For any data breach, inform the users within 72 hours of the company becoming aware of it. This makes it vital for businesses to implement security checks at every level and implement a notification system as we
GDPR and Data Capture
On May 25, 2018, the new General Data Protection Regulation or GDPR came into effect. It applies to all businesses that sell to citizens in Europe. It also includes all technical processing companies that process the information on the seller’s behalf.
What GDPR means is that customers have more control over their personal data. This data relates to anything about a person: name, photo, email address, bank details, location details, medical information, or computer IP.
This will have a far-reaching impact on businesses when it comes to customer engagement. We no longer use the old opt-out process or implicit consent; we have already seen it with Facebook. The social media giant has had to switch to an opt-in consent process. Under the law’s eyes, inaction on the user’s part cannot imply that they consent to their data capture.
The most tangible impact of the GDPR for businesses tends to be in how their consent mechanisms change.
You can’t capture data without a legal basis. One of those legal bases is consent. However, consent isn’t implied – you have to prove it.
Article 7 of the GDPR covers the “conditions for consent.”
Essentially, you need to be able to:
- Prove the data subject consented
- Demonstrate the consent provided was written, easily accessible, and written in clear and plain language
- Offer the right for the subject to withdraw their consent whenever they want
- Make it easy to withdraw consent
- Ensure consent isn’t a condition for accessing your business
In other words, the customer needs to know they consent to data processing, and you can’t ban them from their site if they don’t consent to the processing.
Getting consent once isn’t enough. If you change the way you process the data, you need to seek consent for that. One consent doesn’t cover all conditions.
If any of your data processing activities change, you need to update your data subjects and likely ask for consent again.
Meeting the Conditions
What do those consent conditions look like in practice?
It means requesting a “clear, affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing.”
When you seek affirmative consent (such as ticking a box), you’ll need to share details like:
- How you process the data
- Why you process the data
- How to revoke consent
- Whether you share the data with third parties
- Whether the data leaves the EU
- How long you store data
Additionally, all the information you provide needs to be written in clear language that anyone can read. That means writing to the reading level of your average user, choosing a readable font, and organizing your privacy statement well.
Trying to mask your data practices in legalese or “fine print” can earn you a stern call from your local data protection office. Taken too far, you’ll be named, shamed, and fined.
Data Capture in the Age of the Right to Be Forgotten
The ability to freely and easily withdraw consent is an important part of data capture. The EU says that it should be as easy for data subjects to revoke their consent as it is to provide it.
As well as showing data subjects how to withdraw consent for processing, companies must now abide by the “right to be forgotten principle.”
The right to be forgotten is one of the data subjects’ rights. Outlined in Article 17, it says that data subjects may request the erasure of their data in specific circumstances.
They may request to be ‘forgotten’ when:
- You no longer need their personal data for the original collection purpose
- They withdraw the consent to the processing and you must comply
- You processed their data unlawfully
- You must erase it to comply with a law
In these cases, you have an obligation to delete their data “without undue delay.”
GDPR Compliance Isn’t Optional
As of May 25, 2018, you must either comply or block access to your site.
Companies that continue to ignore the new rules or provide woefully inadequate solutions face serious fines.
The EU could come for two to four percent of your total global turnover.
Google recently paid a $57 million fine after the French data protection regulator ruled that Google didn’t work hard enough to get consent from users.
Part of upholding the GDPR means working with GDPR-compliant solutions providers. Get in touch today to learn how we can keep your data capture compliant.
Penalties for GDPR violations
The General Data Protection Regulation Bill intends to build trust between consumers and businesses handling their personal data. Any violation can attract hefty penalties both on the data controllers as well as the data processors. Of severe breaches, fines can go up to 20 million euros or 4 percent of global turnover, whichever is higher. The amount of penalty varies based on factors such as the steps taken to be GDPR compliant, the severity of the data breach, the mechanism in place to prevent a data breach, etc.
Recognizing the importance of GDPR, iTech all the required steps to be compliant in all our services—data entry outsourcing services, freight audit services, medical insurance verification, and more. Contact us! For secure data services.