1. What is GDPR?
GDPR or General Data Protection Regulation, is a new framework for data protection laws in Europe – it will replace the old 1995 data protection issue, which is based on the current UK law. GDPR will be effective from May 25, 2018.
This rule empowers citizens and consumers in the emerging digital economy to determine how companies use their data. With GDPR, the data protection rules will be uniform in the entire European Union (EU), which has 28-member states.
2. Which companies are affected by GDPR?
Data protection rules will apply to all the businesses operating in the EU, even if they do not have any physical presence within the EU. Any company that stores or processes personal information about European citizens within or outside EU states will comply with GDPR.
New rules will be very difficult and fines will be imposed on companies which are not found to be complying with the new GDPR rules.
Specific criteria for companies on which GDPR is applicable:
- Having presence in an EU country.
- Having no physical presence in the European Union, but stores and/or processes the personal data of European residents.
- Having more than 250 employees.
- Having less than 250 employees but stores or processes some sensitive personal data for its business purpose, that can somehow affect the data privacy rights and freedom of EU citizens.
3. Will GDPR affect Indian businesses? How?
GDPR will dramatically influence those companies (including suppliers, vendors, and outsourced organizations) inside and outside the European Union, who handle the data of customers, employees or others.
IT companies in India who host data of EU businesses – BPOs, IT support services etc. or those companies who have their customers from the EU member states, will get affected and need to take immediate steps to comply with GDPR. In short, it will be effective on all those Indian companies who process the data of EU citizens to give them services.
Therefore, businesses need to reconsider their data management approach to remain compliant and out of law’s clutches.
4. What are the benefits of GDPR for businesses?
If your business becomes GDPR complaint, here are the benefits you will have:
i. You’ll make yourselves cyber secure.
Specific definition of personal data under GDPR:
Personal Data – any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.
Both personal data and sensitive personal data are covered by GDPR. Personal data is used to identify a person, such as it may be a name, address and IP address. In GDPR, personal data also includes photos, bank details, social media names and posts, medical information etc.
Sensitive personal data includes information about genetic data, religious and political views, sexual orientations, etc.
Data breaches are on the rise. When you prepare your organization to better streamline the way you collect, store and process personal and sensitive data, you establish more organized approach towards your security strategy and would adopt adequate mechanisms to deal with crucial data, thereby making your business more cybersecure in the process.
ii. Your data management will improve. To be GDPR compliant, you will need to audit all the data you have. This will help you reduce the data collected and better the way you store it.
By clearing the data, you will reduce costs and resources that you invest in storing and processing data.
iii. Audience loyalty and trust will be promoted. GDPR compliance can help you build a more trustworthy relationship with your customers and the public. While collecting consent to use the data, you have to explain in a clear and concise way as to how you will use their personal information.
This will show that you care about the privacy of your current and potential customers, and this will increase the confidence of the people in your brand.
iv. ROI will increase. According to GDPR, a business will have to apply an opt-in policy and citizens will have to agree or allow a business to process their personal data. This will improve your marketing database and you will be able to contact people who really want to listen to you and who are more interested in your brand.
With more relevant database, you will be able to do targeted marketing, which will help increase your click-through and conversion rate, and your ROI will increase, provided efforts are made wisely.
v. You will be the forerunner in establishing a new business culture. By following GDPR, you will infuse the value of data security in your employees and will be an example that your business is a socially responsible one. Thus, your business culture will be followed by others in the industry, setting a new wave to respect customer data privacy.
Microsoft and other IT service providers and data protection firms are taking effective steps to comply with GDPR: Companies accelerate ways to be GDPR compliant as countdown to enforcement begins
5. How can my business become GDPR compliant?
i. Awareness: You should make sure that decision makers and business leaders in your organization know that GDPR is a new law and they need to understand its impact.
ii. Audit the information you have: Audit the information that you have, vet all the personal data in your database – where it came from and who you share it with. Do you have shareable proof that the individuals whose data you have agreed to have their data stored and processed by you?
iii. Rights of Individuals: Check all your business procedures that they do not, in any way, infringe the rights of individuals. For this, make sure that you have all the needed reasons and permissions for storing personal data, using this data for different purposes and sharing it electronically, in case you share it.
v. Information Access Request: If your organization handles a large number of data access requests, consider bringing in a new system to deal with requests that allow individuals to access their information easily and quickly, online.
vii. Consent: You should review how you get people’s consent, record and manage their information. Renew existing consents to get GDPR compliant.
viii. Data violation: You should make sure that you have the correct procedures in the case of personal data breaches as you will need to fully detect, report and investigate such matters within a time frame to the relevant authorities.
ix. Children: You have to bring in a system to verify the age of the persons. As if you have children among your subscribers, then you will have to get the consent of their parents or guardians, so that you can process their data.
x Data Protection Officer: Assess whether you should nominate someone to take the responsibility for data protection compliance in your organization. If yes, then evaluate how this role will fit within your organization’s structure and governance system.
xi. International: If your organization works in more than one EU member state (i.e. you do cross data processing) then you should set your Lead Data Protection Supervisory Authority. Article 29 Guidelines will help you do this.
For complete information on GDPR, go to GDPR’s site.
You can also find the complete GDPR Compliance checklist here.
How are other companies preparing to comply with GDPR – read here.