Written by: Roshan Dwivedi
A thin line runs between consumer interest, behaviors and invading their online privacy. For example, while browsing in the net, we have experienced sudden appearance of content as sponsored one on our Facebook Feed or on news site marked as paid content or in the Skype sidebar. Online activities are being tracked by companies whose services we use by so-called data brokers. As companies are using data intelligence tools to analyse and serve their customers better, it is important that they are liable to individual’s security and privacy.
General Data Protection Regulation (GDPR) is one big legislative update that affects companies, it sets new standard for users right when it comes to personal data. But, these new rules might prove a great challenge for many. According to a recent PwC survey, 68% of US-based businesses are expected to spend $1 million to $10 million in order to meet GDPR standards within the next year. And, a further 9% are expected to spend an excess of $10 million.
Check out the FAQs to learn more about General Data Protection Regulations and how it will impact corporate obligations and data privacy in EU.
1.What is the GDPR?
General Data Protection Regulation (GDPR) is a new data protection law in the EU that will take effect from May 25, 2018. It has been designed to protect the personal data in light of rapid globalization, technological advancements, and international flow of personal data. It updates and replaces collection of national data protection laws, directly enforceable in each EU member state.
2. What does the GDPR control and whom does the GDPR apply to?
The GDPR controls the data processing of EU individuals, including collect, storage, transfer and use. GDPR is applicable to any company/entity/organization that processes personal data of EU individuals, regardless of whether the organization has any physical presence in EU or not.
3. Why the GDPR was drafted?
GDPR was created due to increasing concern over public data privacy. The aim was to regulate how the businesses use data, and ensure that its same across the entire EU. The GDPR replaces EU’s Data Protection Directive, which went into effect in 1995. As internet has become online business hub today, this makes the directive look outdated and it doesn’t address many methods in which data is collected, stored and transferred today.
Another major driver is the EU’s desire to bring clarity over legal environment on how an organization should act. By making data protection law identical, EU believes it will make companies meet only one set of rules, instead of dozens of different implementations of the previous, Data Protection Directive 1995.
4. How does GDPR change privacy law?
The following are the key changes:
- Data privacy rights for EU individuals
- User profiling and monitoring requirements
- Notification for data breach and additional security requirements for organizations
GDPR also includes essential corporate rules for organizations to legitimate transfers of personal data outside the EU, and a 4% global revenue fine for organizations those fail to comply to the GDPR compliance obligations.
5. What kind of privacy data does GDPR protect?
- Web data such as IP address, location, cookie data and RFID tags
- Basic identity information such as name, address and ID numbers
- Political opinions
- Biometric data
- Health and genetic data
- Racial or ethnic data
6. What’s different about Sensitive Personal data/Special Category
The rules regarding sensitive data or special data categories are stricter as compared to other data. Special data categories such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation – is prohibited. Processing such information requires additional measures defined in the GDPR and requires additional consent.
7. When is an organization considered to be “aware” of a breach?
The timing for reporting a data breach is linked at the time at which the data controller company becomes “aware” of the breach. According to the GDPR guidelines, when an organization has some reasonable degree of certainty of security incident of data being compromised, then only the organization is considered to be “aware” of the breach.
After first detection of breach, an organization has relatively short period to investigate and verify the breach. Notification of a data breach of any sort must be sent out within 72 hours of breach
8. Does the GDPR require EU personal data to remain in the EU?
No, GDPR doesn’t require EU personal data to remain in EU. It doesn’t impose any transfer or restrictions on personal data transfers outside the EU.
9. Who within the company will be responsible for compliance?
According to GDPR, several roles such as data processor, data controller, and the data protection officer (DPO) are responsible for ensuring compliance. Data processors are those who maintain and processes personal data records, according to the instructions from controller. A data controller collects personal data from the data subject for a purpose and with the data subject’s consent.
10. What does it mean for organizations subject to GDPR?
- Organizations subject to GDPR need to determine whether the method in which GDPR applies to them (whether the company is a processor or/and controller).
- If GDPR applies, organizations need to review their products, systems, policies, services, practices and methodologies to ensure they fully comply with the applicable GDPR requirements.
11. What can you do to make your business GDPR Compliant?
Complying with GDPR might not necessarily require you to modify your existing processes, but will require you to inform your users on the few aspects such as type and reason of data collection, data usage, and the duration of storage.
The following measures might need to be used in order to comply with GDPR:
- Consent of user: An end user must be asked to consent to the collection of their personal data. It should include consent to share personal information, notification to users regarding category of data to be used, option to withdraw this consent, etc.
- Age limitation: Restriction on collection of data for individuals, younger than 16 years or age
- Inform existing users of changes: The data controller must inform all existing users of the changes made to the policies and require the user to accept or consent to the changes.
- Right to be forgotten: Users should be allowed to request their personal data to be erased when the following applies:
Data is no longer necessary in relation to the purposes for which it was collected
Data subject withdraws consent
Unlawful processing of data
GDPR is necessary. And despite all the headache of compliance rules, that’s still a definite win. Analytics businesses and market research companies need to do well to acquire resources that will help them become data compliant. Being the data custodians, companies owe it to their clients to manage the most valuable assets- Client Data.