The newly released update, The General Data Protection Regulation (GDPR), is EU’s latest data protection regulation. Coming into force in May, it introduces significant new rights for those living in the EU, such as the right to request information on all data a company holds on them and for it to be deleted, as well as responsibilities for “data processors” – any business, public body, NGO or other organisation that handles personal data.
GDPR strengthens individuals’ data-protection rights and synchronizes those rights throughout the European Union. This means that any business operating in any EU member state – including the UK – needs to update their processes to be fully compliant with this regulation within four months.
This data regulation largely applies to employment and national security issues, or to individuals processing data at home for personal use. This may range from an electronic list of customers, website logs visitors’ IP addresses, EU or non-EU cloud services and so on. GDPR covers everything and anything that can be considered personal data.
Are You Compliant with GDPR?
Here is an overview of what you need to do to prepare yourself to be well on the GDPR compliance.
Ensure Privacy by Design
Be it a product, process or even a website, make privacy inherent in everything that you design. Adhering to this, no further data-protection measures would be required. Data Protection requirements include end-to-end encryption, transparency, and the ability for users to identify themselves – when required – without passing non-essential sensitive data. For example, any age of proof shouldn’t require entering credit card details.
Ensure your accountability
Although it is crucial to adopt a privacy-centric business process, it is not enough. You must also be able to prove that you’ve done so if asked. That implies documenting of the discussions and processes that led to your final implementation. While this would be a protection for yourself, it will also be reassuring for your customers as it shows that your business incorporated all of the available protection measures.
Ask for Active Consent
Wherever consent is concerned, it is not safe to make assumptions. If you’re designing an opt-in form, web-store checkout or data-collection mechanism, ensure that you clearly explain what a user is opting into and how the data will be used. Moreover, make sure that the action of opting in is active and not passive, as GDPR compliance requires you to not rely on pre-ticked boxes, or assume that a failure to opt out implies consent. Moreover, any conditions must be detailed separately from regular terms and conditions, so that they are more obvious.
Keep Users Informed
GDPR gives citizens and customers the right to cross-question their content use, and even revoke their consent to it. If you haven’t already, you will need to nominate (or hire) a data controller and data-protection officer to handle these interactions and make their contact details public.
In addition to contact information, businesses also need to provide a simplified explanation of how customer data is used, the purpose of data collection, the interests of the controller, collector or third party processor who will receive the data, and whether it’s being transferred to an external agent and so on.
Stay prepared to delete data
The GDPR compliance comes with the right to erasure, wherein in specific situations, the subject’s details can be requested to be removed from databases entirely, upon their request. This may happen if a customer withdraws their consent to further processing of their data. That includes cases where data is garnered or processed illegally.
Careful use of algorithms
The GDPR explicitly states that a decision which produces a legal effect or similar must not be based on automated processing, unless that processing is absolutely necessary and is authorized by law. And nowadays, a lot of decisions – particularly online – are now automated. In such cases, the customer must also have given their explicit consent. Therefore, whenever you intend to use an algorithm to analyze data relating to an individual, know that that data can’t be used to make decisions with legal implications – unless the individual gives you permission to do so.
Audit your data
Enforcement of the GDPR compliance is only a few months away. It is time to audit your data-collection and processing activities and update them if needed. Particularly, check whether any of the third-party providers you rely on are situated outside the European Union, as GDPR restricts the transfer of information beyond the bloc’s borders.