The GDPR is a giant leap forward for online rights. Not only is it about keeping individual data safe and secure, but it’s about firms and companies taking responsibility for their hand in possible data leaks.
So, how will this affect your business? And, why should you care about it if you’re not an EU based company or part of the member states? We’ll take a look at all these questions about GDPR in this article:
What Is The GDPR?
We use the internet and all of its capacity on a daily basis, but not everyone is aware of how much personal data they are sharing.
We’ve been seeing the rise of security breaches and what is going on behind closed doors is coming to light. This week there was yet another data breach via a Facebook quiz taken by millions of users that reportedly shared their private information.
The EU General Data Protection Regulation (GDPR) is new legislation aimed at protecting the data privacy of all EU citizens and residents. It aims to simplify the regulatory environment for international business by harmonizing the data protection acts among its member states. - Prescouter
The General Data Protection Regulation is being enforced to help keep customer data safe and secure. The regulation was first adopted in April 2016 by the European Union and will be brought to force on the 25th of May, 2018. Companies have to ensure that they will protect all types of consumer data. These types of data include:
- Basic Information such as name, address and ID numbers
- Web Data including location, IP addresses, cookie data and RFID tags
- Health and Genetic data, biometric data, racial or ethnic data
- Political opinions and sexual orientation
Which Companies Are Affected?
It is expected that all companies with more than 250 employees that capture personal information about European Citizens within the EU states must comply with the GDPR. This is the case even if you don’t have a business presence within the European Union.
Companies with fewer than 250 employees, but where data-processing has an impact on the rights and freedoms of data subjects or includes certain types of sensitive personal data should also be compliant. The aim of the process is to protect the customer from sharing their personal information without consent.
Organisations are also responsible for informing their customers of their rights under the GDPR and give assurance that any third-party processors aren’t in breach of the GDPR. Should there be any security breaches in the form of a cyber attack or accidental leak, the firm should alert the authorities within 72 hours.
The Implication Of Third-party Data
A third-party data processor refers to the entity that processes the personally identifiable information on behalf of a control. The controller determines how the data is processed, and for what reason.
What legally counts as Personally Identifiable Information?
Think of PII as any data that can be used to identify a specific individual. This includes Social Security numbers or Identification numbers, mailing or email addresses, phone numbers and it has now also been expanded to IP addresses, login ID’s, social media posts, digital images, geolocation as well as behavioural data.
If your company’s marketing programs are built on third party data processors, you need to listen up.
You are responsible for the personal data managed by your third-party vendors. Thus, you can be subject to penalties of your vendors’ violations.
If you are, for instance, making use of Google Analytics and Adwords for your campaigns, you have to be able to guarantee that these services aren’t being misused. It’s all about vetting your third party partners and making sure that they are compliant.
Have a look at the current Business and Data compliance page that shows Google’s compliance.
Why It’s Important For Businesses Worldwide?
Just because this is a European-based regulation doesn’t mean that it won’t be affecting the rest of the world. Major companies in the US also consider this implementation a top priority since they know it will negatively influence their business with and in Europe.
Taking e-commerce companies as an example, it’s clear why your non-European company should also comply with the regulations. If you are shipping your products to even one EU-based customer, you’ll have to become GDPR-compliant. This is because that individual is protected under this law and you must be able to provide this person with said data should they request it.
The law focuses on personally identifiable information (PII) and where the person associated with the data resides. Anybody that has any kind of PII data on a European customer will have to comply. - PC Mag
Tips For Complying With The GDPR, And Risks Of Non-compliance
The way in which your company collects data must relevant to how the data will be used. For instance, if you are running an e-commerce business you how no business in obtaining a customer’s medical history data.
There has to be transparency as to how companies are collecting data and why. Alongside this, there should be clear and actionable security practices in place which will safeguard against damage and destruction.
Companies failing to comply with these regulations are subject to a 4% forfeiture of its annual revenues. Which, as you can imagine can be very damaging to all companies.
How To Comply
Firstly, you need to appoint a Data Protection Officer. This individual will be in charge of managing the process of compliance. They will be responsible for implementing the change and showing the GDPR oversight team the ways in which your company has been securing data.
It’s not just about becoming compliant but also staying compliant. Employ an encryption method for your physical servers, NAS, disks and drives and networks. Multi-factor authentication should be in place accessing personally identifiable information.
Make Use Of Plugins
Have a look at this valuable resource that explains how the GDPR impacts WordPress and WordPress users. Trew Knowledge also released a plugin for WordPress to assist data processors, controllers and data protection officers in their efforts to meet the obligation enacted under the GDPR.
The Delete Me plugin is another great tool that can assist you in compliance. This plugin allows users to delete their own data without pulling a request for it. This button can be placed on your homepage so that the user is aware of the option.
Cut out practices that process data where it’s not relevant and constantly monitor and verify the data collected to stay ahead of the curve. Also always purge customer data when asked to do so.
Organizations will be required to conduct full risk assessments and work with partners, especially those connected via application programming interfaces (APIs), to ensure ongoing compliance. - PC Mag
Although the chances are slim that GDPR watchdogs will actively gun for small business, it’s best of the future of online rights to comply with this system immediately. Take note that there is no extension available. The GDPR will be enforced from the 25th of May 2018.
It might only be a matter of time before it’s a worldwide regulation. Complying with the GDPR might mean a lot of admin and restructuring, but it’s always great to show your customers that you value their privacy.