The General Data Protection Regulation (GDPR) is coming into action from the 25th of May 2018. It is in the news and everyone is talking about it. The only problem is, legal websites have explained it with innumerable legal jargon that it becomes difficult for commoners to understand what it really is.
So, in this article, we will try to answer a few important questions about GDPR that will help you protect your company and your consumers.
Here is everything you need to know about GDPR
When and why was GDPR developed?
The European Council approved GDPR in April 2016 and translated it to all languages, spoken in the European Union (EU), by May 2016. It was developed with the intention to protect people who share personal data with a company or organisation.
The European Council developed the GDPR because their data protection laws were as old as 1995 (Data Protection Directive) and 1998 (Data Protection Act). With the sudden growth of the digital media it became easy for companies to mishandle personal information. The Cambridge Analytica Scandal proves to be an example of misused personal data. This is why the EU revised their data protection laws and formed the GDPR.
Why is it important for everyone to know about the GDPR?
If the GDPR only complies to the EU, why should we know about it? Simply because, international companies that handle information of citizens from the EU are subjected to this law. An non-compliance to the GDPR may result to a € 20 million (₹ 159.76 crores) fine! Therefore, it is in our best interest to know all about GDPR regulations so that we aren’t fined € 20 million by the EU.
What kind of data is the GDPR talking about?
The GDPR refers to any data possessed by a company that one can use to identity a person. This includes name, phone number, email id, photos, address, ip address etc.
How to show compliance to the GDPR?
Most companies, both large and small, have your best interest in mind when they take personal information. However, unprotected data can easily get into wrong hands and put the entire business in trouble. This is why there are certain measures that you must take to show your compliance to the GDPR. Here is a list down below
1. Building a comprehensive database
Have an organised working system that stores information on all the personal data you require for your business. Also make sure you know how you received that information and why it is important for you to hold on to it.
A comprehensive database will keep information organised so that you can access it at any given time. Don’t hold onto that you no longer need. This is unnecessary and can put you in a lot of trouble.
2. Be ready to produce personal information if asked
If anyone ever asks you to show the information you have on them you must be able to produce it without any difficulty. Sometimes your clients may ask you to delete their information. This should be made possible for every business.
3. Make sure the information stored safely
What safety measures have you taken against data mishandling? Keep a note of that. Password protect your client information so that it does not get into wrong hands.
Though this is not compulsory, if you have many customers from the E.U, you can appoint a Data Protection Officer (D.P.O.). The DPO is one who ensures that everyone in the workforce is following G.D.P.R. laws. They must make also ensure that redundant personal data is deleted on time.
4. Transparency
The European Council created the GDPR so that there is transparency between businesses and consumers. So, be transparent about the data you need. Tell your client why you need it and what you intend to do with it. As per the GDPR rules, you cannot continue to record personal data if an individual does not comply.
Since the regulation will apply after 25th May, 2018, all companies must revise agreements with customers from the E.U. This includes U.K. till 29 March 2019. You may already have a privacy policy in place. It is time to revise that policy and introduce the processing policy. This will show your customers that you intend to keep their information safe.
If you have a lot of customers from E.U, it may be difficult to contact each and everyone to ask for their consent. Instead, send a common mail to all your customers, asking for their consent to keep their information. You can also add a simple ticking option on your website for those who give you permission for their personal data. Remember, if you don’t receive consent from one or more customers, you must delete their information from your database.
Conclusion
Here is a concise understanding of the G.D.P.R. In case you find our information breaching from your company, you must report it to the data protection authority within 72 hours. There is a penalty of € 10 million (₹ 80.26 crores) or 2% of your annual revenue (whichever is higher) in case you miss the 72 hour mark.
Though the law was made in the best interests of E.U. citizens, you need not be part of the E.U. to have complete right over your personal data. You can ask any company, at any time, to show what information they have about you. It is your right to know why they have it and what they intend to do with it.
For safety purposes you may also attach a confidentiality notice to your email signature to make sure your information is protected. This allows you to take action, in case anyone has wrongly used your personal data without your consent.
