Even if your enterprise isn't located within the EU the company could be processing personal data for EU citizens. That includes data processors and controllers for sensitive personal data like billing addresses and shipping addresses, logins to online banking, for instance.
Consumers should be given clear details about how they will be using the personal information they provide. A right to revoke consent is in place at any time.
What is GDPR?
Most likely, you've received privacy notifications emails from your bank or personal email account, as well as social media platforms in early 2018 due to the recent European Union GDPR laws that took effect in the spring of 2018. The GDPR is a law that is tough. It creates a set of regulations and authority to protect citizens in those in the EU, EEA and other free trade zones.
GDPR defines three objects which control, safeguard and process data. This includes data controllers (or data processors) as well as data subjects, and data processors. The data controllers are those who determine why and how personal data is handled, and what they do with the data. These include business owners and employees. Data processors are a third party who perform duties for data controllers. Cloud storage services such as Tresorit or email providers like Proton Mail are examples of data processors.
The data subjects are individuals that have their information processed. They must be able to comprehend the entire statement and explicitly agree by taking an action to allow data processing to process their PII. You must signify your consent explicit, because it's no longer acceptable that consent be obtained through silence or inaction. In order to comply to GDPR, people must expressly agree to the collection of their information. That means that a boxes that are checked or pages on legalese are no longer considered informed, free and specific consent.
The law provides individuals with the right to demand an exact copy of their PII from any organization which holds the information. The law also requires that companies offer this information in a form that's easy for another entity to access. This is a crucial step for organizations to adhere to the GDPR.
The data portability feature is a key aspect of GDPR. This means data can transfer from one company to another without the need to enter it again. The ability to transfer data can not only help the customer, but it can also enhance the security overall of a company's data.
In order to remain compliant, businesses will need to keep up-to-date with their technology platforms and data structures. The basic idea is that every department of the organization will be required to be able to work in tandem to pinpoint where all of the company's data is located and how the data is stored. Then, they will have to map this data to make sure the security of each individual piece of private information is dealt with in a proper manner.
What is the GDPR's impact on my company?
The GDPR is a vast affect on businesses. The gdpr gap analysis GDPR has been implemented since May 25, 2018 and has brought about numerous improvements in how businesses deal with personal data. It affects every aspect of the business including marketing, IT and even beyond. The new standards also offer users a better level security from cyber attacks that are more advanced which include ransomware.
While GDPR has been currently in force for nearly an entire year, a lot of businesses still struggle to meet the regulations. Studies show that only 29 percent of businesses that are GDPR-compliant. This is an impressive number and it is not surprising that small-sized business owners are having the hardest time adhering to GDPR.
The GDPR stipulates that businesses obtain the explicit consent of each individual before handling their personal information. It means that you are unable to add someone to your mailing list until they explicitly opt-in. Also, you must clearly describe why you are requesting gathering of data and the way you intend to do with it when utilized for. You must also be able establish the consent of an individual and that they were aware of their legal rights.
Additionally, the GDPR mandates that businesses only collect relevant data to be processed. That means you shouldn't use CCTV to watch your workplace or Google Analytics to track who visits your site when they're not a client or prospective customer. In addition, the GDPR states the data that is collected must be treated safely.
In response, the GDPR required businesses to review their data handling policies and privacy practices. Particularly, the e-commerce industry was affected as it needed to come up with new procedures and procedures for collecting as well as processing customer information. In certain cases, this has been challenging, as it led to firms having to eliminate specific features on their sites and platforms so that they can remain in compliance with the GDPR.
What can I do in order to make myself more prepared to be GDPR-ready?
The GDPR will take effect on May 25, 2018. To be in compliance with the GDPR, businesses have to make necessary changes to their existing information security system. Firms that do not comply with the provisions of the new law could be fined between 20 and 20 million euros or 4 percent of their worldwide revenue (whichever is the greater).
To prepare for the GDPR, start by conducting an audit thorough of your business's data. Create a list of every personal data is collected, stored and handle. Next, consider how it connects with the legitimate uses as defined by the GDPR. It is then possible to create an action plan by pinpointing those areas you'll need implement changes. You can prioritize these tasks in accordance with the risks they create and provide estimates of duration, budgets, and resources for each.
Next, review any third-party businesses or services that you use for your business. Make sure they are in compliance with GDPR and have an agreement in place with them to cover any data transfer to the EU. It's also a good idea to perform a risk assessment of any methods or procedures that require children's data, as the GDPR has increased the requirements around age verification data processing, consent to process and age verification for this type of data.
Also, it is a good practice to verify that existing consents for the use of personal information meet the new GDPR standards and require consent is specific, precise and easy to withdraw. Additionally, be sure to review any procedures you have implemented to handle requests by individuals seeking with rights that extend to them, which now include the right to be informed; the right to access; the right of rectification and the right to limit processing; the right refuse automated decision-making which includes profiling; as well as the right to erasure.
And lastly, be sure that the company you work for is prepared to deal with privacy breaches. Establish an internal response group and the plan of action that informs the individuals affected. You may also consider the appointment of the Data Protection Officer, if you think it is necessary. Be sure your privacy policies have been revised and available to anyone within the company.
What could I do to ensure that I don't having GDPR affect my company?
Your method of handling the personal information you collect will be a significant factor in the GDPR and its effect on your business. Personal data can be defined under the law as any information that is used for identifying an individual. This includes names, contact details, financial information, medical records and IP addresses. If you are collecting this kind of data, it is essential to conform to GDPR's regulations to avoid fines and penalties.
It is possible to protect your company against the potential impact of GDPR by setting up processes to ensure compliance. First, do a data audit and determine what personal information the company holds and how it's being utilized. Once you've done this, you will be able to design an update strategy regarding your privacy policy. This could include the requirement of a double opt-in for newsletter subscriptions. Ensure that you've got a legal reason to gather personal information as well as ensuring that your suppliers and contractors are GDPR compliant as well.
Another method to minimize the GDPR's effects on your business is to ensure you have a process in place to detect and address data security breaches. The law states that you must notify regulators within 72 hours of discovering a breach, so you'll want to have an effective system to quickly detect and contain data incidents. This could mean forming an internal team to review any new or existing data to make sure it is compliant with GDPR regulations, adding consent forms on your site that clearly explain the ways in which the company handles personal information, implementing a mechanism that allows for the revocation of consent by current customers while also reviewing and updating contracts with third parties to ensure they're compliant with GDPR.
Also, it is important to note that the GDPR applies to firms of all sizes and not just those located in the EU. Every business handling the personal data of EU citizens or those who reside within the European Economic Area must adhere to its requirements.
The GDPR places an emphasis on consent from consumers and makes it impossible for corporations to hide the terms of lengthy contracts that people don't have to read. Additionally, it will improve your customers' trust with your company. Also, it forces businesses to consolidate its data platforms. This can benefit departments such as marketing and sales, which will have a more targeted and engaged audience.