Oblivious About GDPR?
General Data Protection Regulation (GDPR) is a European law that lays ground rules for any entity that collects or uses personal data of European residents. The law commenced on May 25, 2018, after it was rolled out in May 2016. Establishing the right to privacy was the chief motive behind GDPR which was required to serve this fundamental right for European residents. What this law enforces is that all those organizations that deal with users’ personal data should seek permission from them before sharing their data, and should be transparent about what they will do with it. User consent can be obtained through an opt-in, or by obtaining a sign on a consent form. GDPR also gives the right to users to object if they feel that their data was used inappropriately; they can demand to delete it completely. Also, users will be notified if their data is lost due to data breach or hacking.
- For those who think joining the GDPR crusade is optional, it’s not.
- Not complying with GDPR will result in paying fines (up to 4% of global revenue).
- GDPR also requires organizations to hire a Data Protection Officer (DPO) who will be responsible for control and reduce risks, creating a feasible data security policy, and ensure compliance.
Bottom line, GDPR is important. If you don’t wish to cross swords with the law, keep these steps in mind, and you are good to go:
1. Evaluate
Evaluate everything that is required to be done in your company. From understanding the consequences to reviewing the requirements, make sure that the decision-makers are up-to-date with all the changes needed to be made. This step should be taken into serious consideration as for some companies, the changes that are decided upon will affect multiple departments altogether.
2. Update
How you communicate with customers may need to change: Rethink. Revise. Update. In order to be compliant with the GDPR, defining how you will use users’ personal data is the need of the hour. Make sure your privacy notice clearly explains how you are going to process users’ personal data according to the law.
3. Audit
Inspect all the personal data that is collected and stored, and keep a track from where it came from, and who you share it with. Recording your processes and activities is one of the things that GDPR requires so that the companies have effective policies intact, and procedures to be followed strictly.
4. Protect Children’s Data
Another important thing that should be kept in mind is to get parental consent for children’s personal data. Companies will be required to verify ages and protect sensitive children’s personal data, clearly after they have the parental consent. This comes in handy when you are talking along the lines of commercial internet services, for instance, social networking.
5. Address Data Portability
A user has the right to ask for their personal data being in a commonly used form, and in a machine-readable format. This also means that the user holds the right to transfer his/her data to another controller without the interference from the controller who already had his/her data.
6. Investigate Data Breach
Personal data is always at risk. It is very necessary to successfully detect and investigate data breach. The GDPR is counting on all companies with an important duty of reporting a data breach to the Information Commissioner’s Office (ICO). You will be required to notify the ICO about the data breach when there is any risk to the rights of individuals.
Have any query? We are here to help. Contact us 🙂
In case you are already following the Data Protection Act (DPA), you will notice that there are a few rights defined in them that overlap with the rights mentioned in GDPR. This means that you are a little bit ahead in the game and you don’t need to put in that much amount of effort that other companies have to put who don’t follow DPA. But, don’t forget to go through your present procedure; it should be covering all that is listed in GDPR.
References: thehindubusinessline, itpro, forbes, businesswest