Despite the evident necessity to embark on preparation as soon as possible, according to YouGov Survey only 29% of UK businesses have started preparing for GDPR. Almost 38% of business owners claimed that they were not conscious of GDPR particulars and over 71% were ignorant of the amount of fines they may face from the slightest noncompliance.
The deadline for compliance is May 25, 2018. So it is high time to find out what GDPR requirements are, what changes it is going to bring about and how you can get ready.
Feel free to skip to a section, which concerns you:
- The What, Why and Who of GDPR
- How GDPR affects your business
- Become armed to the teeth against GDPR
- Conclusion and more links on GDPR
According to the statistics, the number of malicious cyber attacks are rapidly increasing every year.
In April 2017, The Telegraph reported that cyber attacks hit half of UK businesses.
According to a survey conducted by TNS Opinion and Social of 28 member countries of the EU, people are more likely not to entrust their personal data to companies and businesses:
- Just 15% of respondents who said previously that they provide personal information online, feel they have complete control, while half (50%) say they have partial control, and nearly a third (31%) feel that they have no control at all over their personal information online.
- Over 7 out of 10 people are concerned about their information being used for a different purpose from the one it was collected for.
- More than 6 out of 10 respondents say that they do not trust landline or mobile phone companies and internet service providers (62%) or online businesses (63%).
In May 2018, GDPR will be applied to everyone involved in the process of gathering, processing, and keeping personal data of European citizens.
Even if your business has no online presence, but your team collects your customers phone numbers, it will fall in the scope of the regulation.
Companies with online activities may use online services for data storage and transmission. And for further understanding of GDPR principles, we should define data subject, data controller, and data processor for this case.
Meet Lucy. She is crazy about shopping. Lucy likes shopping on Amazon. To register on the website and buy things, Lucy gave out her personal data including credit card and bank details. In this case, the girl is a data subject because the data is about her.
Amazon is a data controller because it decides how the data will be processed.
Amazon outsources its customer support to the third party call center. Employees in that call center have access to some Amazon.com records but can only use this data for very specific purposes.
In this case, the call center is known as a data processor as it deals and handles personal information in a limited way.
GDPR will represent a shake-up for all parties.
According to a Veritas research, more than 40 % of businesses fear major compliance failing and less than 30% of companies are scared of reputational damage caused by poor data protection policies.
Becoming more aware of their rights, customers will search for and work with the companies that will be able to demonstrate their capacity to handle their data more securely in comparison with others. Do not miss the chance!
Let’s have a look at the main points that determine the core of the new law and see what changes to your business should be brought about and implemented very soon.
1. EU Residents will have the extended and strengthened right to know what you are doing with their data.
A data subject will have the extended and strengthened right to know what you are doing with their data. It is very clearly laid out what information data controllers and data processors (you) are obliged to provide their customers with if requested:
- who you are;
- why you have their data;
- where you got it from;
- how long you will have it;
- how and where it is processed.
It is all about absolute transparency.
There is a distinction drawn as to whether you got the data direct from the customer or from somebody else (third party). Undoubtedly, it will have a big impact on contracts privacy policies.
2. Silence and inactivity are no longer signs of user’s consent for processing his/her personal data.
Getting valid consent under the GDPR will become harder as it has to be freely given and specific to each processing activity. It must be a statement of clear permissive action.
According to KuppingerCole analyst Karsten Kinast, this GDPR principle is one of the most challenging. “Organizations need to ensure they use simple language when asking for consent to collect personal data, they need to be clear about how they will use the information, and they need to understand that silence or inactivity no longer constitutes consent”, he stated.
For example, right now if you track visitors on your website and monitor what buttons they click, what pages they visit or what articles they read, you don’t need any consent from their side to do so.
When GDPR comes into force, you will have to ask for user permission to track his/her activity on your website and inform him/her about your purpose of doing so. It will require implementation of relevant technical solutions.
3. The time for data breach notification is shortened to 72 hours.
In an increasingly connected world, a data breach of any kind can be problematic as it bears an evident danger both for the company and its customers. Due to the new data protection regulation, any type of data breach must be notified within 72 hours.
To avoid huge GDPR penalties, in the case of a data breach you have to inform data subjects directly if the result of the breach might cause them significant harm (e.g. disclosure of their bank account details or sensitive data relating to their children, etc.).
4. Right to be forgotten — now user can disappear into thin air from all your backups.
At any stage, the user may request to delete his/her information and not keep/handle it anymore. If you get such request, you are obliged to satisfy the customer wish and delete any records with his/her personal data without undue delay and never use it again.
It means that you will be obliged to delete all individual’s personal data – records in database, backup copies, files and any copies that may have been moved into an archive. According to the law, you have not more than one month to do so.
All software will be required to be capable of completely erasing data, which will be a challenge for a lot of software engineers.
In case your company sent customer’s personal data to a third party (data processor), you should immediately request them to delete it as well.
5. A user has the right to transmit the data from one processing system to another.
It is like with the banks. Imagine that the customer deposits his/her money (personal data) at bank A. After some time he/she notices that bank A does not carry out its function properly and decides to transfer his/her money to bank B.
In other words, data subject has the right to transfer their data to another organization which might be your competitor. This right puts more power in the hands of individuals to swap to any other data controller/processor.
6. You should handle customer’s sensitive personal information more carefully.
What information falls into this category?
It is mainly:
- Religious or philosophical beliefs
- Physical and mental health
- Data concerning sex life
- Racial or ethnic origin
- Trade-union membership
- Political opinions
Under GDPR, this information is extra secured and can not be freely used, shared, and processed without explicit consent from the data subject. From May 2018, biometric and genetic data will also be included in the list.
7. Your new duty to explicitly show that you are able to comply with GDPR
This is a brand new principle in the world of data protection. You will be required not only to adhere to the new law but also to clearly demonstrate your GDPR compliance at all the stages of communication with your customer.
Veritas Technologies has recently conducted the survey to find out whether the companies are actually ready for GDPR or they need more time to gear up for the global shift. Nearly one-third of companies claimed that they were completely ready for GDPR but in the course of the survey it turned out that only 2% of them actually were.
Do you think you are ready for the implementation of the new law?
If you are not yet fully compliant, here is your GDPR survival guide.
1. Make your staff aware
Make sure that all your employees are well aware of the necessity of compliance with the GDPR. Moreover, they should not only be informed but rather, they need to understand the new law in detail.
According to cyber security statistics, ‘negligent employee or contractor’ is the most common cause of data breaches.
Conduct specialized meetings and training, hand over useful articles for reading, make it the point for discussion in your office.
2. Get your software products ready for GDPR compliance
According to Recital 26 of EU GDPR, any sort of data that you use to identify/track your visitors directly or indirectly is personal data. If cookies on your website can identify users via their personal devices, it is considered to be a personal data. The majority of cookies will be subject to GDPR.
You don’t have many variants to tackle this problem. The only sensible way out is to find a lawful ground to process that data.
The same refers to SaaS platforms. Their flexibility and agile accessibility make them a slippery slope for compliance with the coming GDPR.
Further reading: How to get your software products ready for GDPR.
3. Track your data flow
If you outsource data processing to third parties, track all your data flow supply chains.
Double check all the places where the data is processed. Make sure you know and have direct access to all recipients of personal data from your company.
If it seems not an easy task for you right now, imagine how it will look when you get only 72 hours to do so.
4. Adjust all your official papers to the new data protection law
Review all your contracts, agreements and other official documents involving data handling.
You can start right now. Consult your lawyer and address him/her for the legal assistance.
5. Get your insurance ready
Check on existing insurance policies and find out if they cover the data protection breaches. Make sure they protect you from outsourced data breaches as well. If your insurance policy does not provide you with such option, search for another one. Your task is to secure yourself as much as possible.
6. Appoint a responsible person — data protection officer (DPO)
If you handle personal and sensitive data of your customers or systematically monitor their behavior on a large scale, you should appoint a data protection officer to work on compliance solutions. DPO is a legal expert in terms of data protection matters, a good planner and organizer with a broad skill set.
Have a look at the following map and trace whether you will have to hire DPO.
According to articles 37-39 of EU GDPR, the person appointed to such position should possess expert knowledge of data protection law and practices enough to be able to:
- make all the employees of your company aware of their obligations under GDPR;
- control strict compliance with the new regulation;
- report to higher authorities about personal data processing states;
- consider and evaluate all the possible risks associated with data protection processes under GDPR.
DPO will solely concentrate on the GDPR compliance requirements and safely guide your company towards the light.
7. Set up a process for ongoing evaluation
You need to be sure that you remain in compliance. That will require monitoring and continuous improvement.
Evidently GDPR is a wild animal to be tamed. It may seem scary and noncontrollable at first sight but you must realize that it is also an amazing opportunity to stand out among less prepared companies and attract more customers with your perfect compliance.
In our next article we will write about the changes you should bring to your software base in order to turn GDPR into your competitive advantage.
If you don’t want to become a subject to huge fines, you will have to carry out the regulation to the letter and stay in line with it for many years ahead. To make it comfortable for your business and clients, let the preparation process start from today.
To get a deeper insight into GDPR go to the following links:
- Official Page of EU GDPR.
- Official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation).
- GDPR principles in tables.
- Additional steps on getting business ready for the GDPR.
Are there any questions about GDPR left unanswered? Feel free to ask them in the comment box below. OR contact us and we’ll help you build GDPR-compliant solutions.