EU member states are now covered by the General Data Protection Regulation (GDPR) which is basically a law that protects the personal information of individuals within the EU and how they are used. GDPR is important for organisations around the world because it affects everyone who does business or communicates with individuals in the EU member countries. It is arguably the most important government regulation on data protection and data privacy rights in the last 20 years.
How GDPR Affects Individuals
To begin with, GDPR is a mutually agreed regulation among EU states, which seeks to harmonize data privacy laws across Europe and give individuals enhanced power and control over how companies use the information which they have about them.
Following the numerous data breaches which took place over the past five years, including major incidents involving Yahoo and LinkedIn, GDPR seeks to create a unified framework for punishing companies that do not do enough to reasonably ensure that user data is kept safe and out of unauthorised hands.
The recent furore involving Cambridge Analytica and Facebook, which saw the clandestine research firm harvest information from unaware Facebook users in a series of campaigns that allegedly led to Donald Trump’s election victory and the ‘Leave’ vote victory in the Brexit referendum, has also provided a key case in point for the sort of scenario that the policy framework was designed to pre-empt.
Under GDPR rules, companies are not only required to put security in place to ensure data security, but they are also obligated to inform the relevant country’s data protection regulator about a breach within 72 hours, which would prevent a recurrence of incidents like the famous Yahoo hack, which saw millions of user email account login details stolen after being stored on an insecure server in plain text format.
The regulators on their part, are also obligated to inform the individuals involved in the breach and then carry out a probe of the organisation to find out if adequate security measures were put in place. GDPR also mandates businesses with more than 250 employees to justify their reason for collecting user information, openly state how long it is held for, and show that adequate data security measures are in place.
Through the Subject Access Request (SAR), individuals can now get access to what information a company has about them for free. Businesses are mandated to provide customer information within a month of a SAR request.
How GDPR Affects Businesses
The GDPR applies to all organisation which handle information of EU residents whether they operate within the EU or not. Non-compliance with this law can lead to fines as high as €20,000,000 or 4% of the annual turnover of the company. Airlines, hotels, schools, Fintech companies, telecommunication companies, e-commerce companies are some of the businesses that are expected to be GDPR compliant.
American tech giant Google was recently slammed with a $57,000,000 fine by French regulators under GDPR regulations for violations relating to disclosure of user data holding times and what user data was used to do. According to the indictment, Google did not make it easy for users of certain services on its Android platform to know exactly what data on them was being collected, what it would be used for and how long it would be stored.
The regulator also stated that Google did not make it ‘sufficiently easy’ to opt out if users so desired, because use of the services was contingent on accepting its conditions, which is also against GDPR regulations.
How to Ensure GDPR Compliance
- Collect and process only information relevant to the service you carry out
A major reason that GDPR regulation was introduced in the first place was that a number of websites and platforms were collecting increasing amounts of user data for no other purpose than to sell it on to marketing organisations, often without user knowledge or consent. In some cases, the data collected and sold on to third parties was not anonymized, and contained identifying information of users such as names and email addresses.
To avoid becoming the recipient of a hefty fine under GDPR guidelines, it is important that you only collect data that is directly relevant to what you do. In other words, only collect the data that you would feel confident disclosing if you received a request for information from the authorities. Resist the urge to make quick money by selling other data you are able to harvest.
- Do not collect information without consent from either employees or customers
Closely related to the first point is the reality that if you collect information from your users without their knowledge, regardless of how easy or harmless it may seem, you are potentially opening yourself to ruinous action by European regulators.
This also does not mean hiding this information inside an inconveniently located ’Terms and Conditions’ page hidden somewhere on your website, because that itself could make you the subject of a fine. As mentioned earlier, Google received the record fine in part because even though it informed its users of their data use in theory, the practical reality of making access to its service contingent on them opting in did not constitute a proper opt-in choice. This has since been amended on the affected Google services.
- Store information only for as long as it is needed
Resist the temptation to hang on to user data for possible future monetization, because this is another point on which GDPR rules are very clear. Google for example, has been forced to delete certain data after being taken to court by activists fighting for the “right to forget”.
- Have an effective data security strategy that involves employee training
This means more than just investing in secure server space or automatic data encryption or the most recent technical defences or even setting up a brilliant IT team. To have any long-term success with data security, people have to be at the center of the strategy. There should be a top-down shared sense of responsibility and ownership with respect to safe guarding the Information assets of the organisation. Cyber criminals target people as much as they target systems making it imperative for employees to be behaviourally trained to be cyber security conscious. This alongside clever technological defences are critical for preventing hackers from gaining unauthorised access to company data.
- Document your data processing activities and carry out routine assessments
Make sure that you maintain a log that details your regular and periodic data processing and security activities because this is itself a GDPR requirement. Even if you do not suffer a data breach, the absence of this could get your organisation slapped with a hefty fine. It is also recommended that you carry out routine Data Protection Impact Assessments (DPIA) to essentially audit your GDPR compliance.
- Make sure any third party company you use, is also GDPR compliant
This might be a tad tricky, especially if your business makes use of a number of independent contractors and third party suppliers, but if they fail to meet GDPR standards, their failure could compromise your company as well, not to mention potentially expose you to a fine alongside them. If necessary, hire a lawyer or a specialist GDPR consultant to vet all entities you are affiliated with in order to prevent such a scenario.
For businesses servicing customers located in the EU member countries, being GDPR compliant is not an option. And this is not a one and done deal, it is an ongoing approach in the way you run your business. As data misuse and data breaches become more rampant, customers would increasingly seek out companies they can trust with their information and this makes being GDPR compliant not just a legal requirement but also gives the business a competitive advantage over its non-compliant competitors.