What Is GDPR and What You Need to Know about It
On May 25th in 2018 all the citizens and residents of EU are getting the full control of their data, thanks to General Data Protection Regulation. Every business dealing with data will probably notice the huge fine amounts for breaking the new data protection rules. It will be the biggest amount of two: €20 M or 4% of the company’s annual turnover. Sounds scary, but don’t panic! We’ll share the most important points about GDPR to help you comply with the new data security standards.
What is PII according to GDPR
Let’s start with the fact that there’s no clear definition of what PII is. Surely, it’s any kind of data that can help you identify a person: name, location, picture, video, IP, etc.
What’s more confusing, is that there’s data that can be both, personal and not personal. To understand it, imagine that you own a jewellery shop. That’s why you’ve got video cameras all over the shop to provide the necessary security level. In this case you get video data for security purposes, which is not personal. However, you can connect video cameras to a face recognition system and send newsletters to your shop visitors. This is how data becomes personal, and you start breaking GDPR rules. Unless your shop visitor provides consent to be filmed for ad purposes, of course.
How to get user consent for data processing
GDPR introduces two new concepts: privacy by default and privacy by design. These concepts mean there won’t be any already put ticks right next to the point «I agree to personal data processing.» This point should become more obvious in the interface as well. Moreover, users will get the right to withhold consent in the following cases:
- When a user is forced to give consent.
- When a user is asked to provide more data than, according to the user’s opinion, necessary for data processing.
- When a user is requested to give consent to transfer personal data to any third parties without giving proper explanation on how the data will be used.
Oh, and another one. According to new GDPR standards, users will get the right to withdraw their consent at any time necessary, even if a user is given proper explanation on how the data will be used.
The policy of data processing should now be described in plain language without resorting to any legal terms or long explanations. It’s because most users simply scroll down to the explanation ending and put a tick next to the point they may not agree with.
In fact, GDPR requires companies to inform their users of data collecting and processing in the most simple and clear way. The consent itself should now be given within a really user-friendly interface, and for each of the data processing or monitoring operations. For example, if you are going to send some promo materials to your users over the phone or by email, you’ll have to get a user consent for the both, email and phone. If, say, you’re planning to use geo segments, you’ll need to also get users’ consent to collect the user geo data first.
Starting on May 25th in 2018, cookies are not allowed to use for advertising purposes or analysis, unless on lawful business, like a contract or an obtained user consent. This means that notifications «using our website, you agree to the cookie use policy,» when users first come to your website, are becoming useless.
New roles in GDPR
GDPR introduces two new roles: data processor and data controller who has more responsibility than processor. To provide an example, let’s say that your company uses Google Cloud Platform to store your customers’ personal data. In this case, GCP is a data processor, and your company is a data controller as you are the one to decide what to do with the customers’ data.
Another thing about GDPR is that each company, dealing with processing or monitoring user data, has to hire a data protection officer. This is necessary to make sure that user data is safe and sound. The data protection officer will also check every new business technology that is connected with data processing or monitoring.
New user rights in GDPR
Right to be forgotten is probably the most interesting aspect of GDPR. It means that any user can demand from any company to change or even completely delete user’s personal data, as well as to demand any company to stop using his or her data. The exception is when the user data is collected for a certain purpose like, say, security. In such case, a company has to inform the user about data collecting for security purposes, and mention that third parties may also use the data.
Right to restrict processing allows any user to demand from any company to simply stop collecting and processing his or her data in case the user is against it or the reasons for collecting and storing are illegal. Any user can also ask to restrict data processing when it is no longer needed for the purposes that user agreed on. By the way, Google Analytics has even released a browser add-on for opting out GA because of GDPR.
Right to data portability is definitely aimed at user comfort. The idea is that customers will no longer need to transfer data when switching from one data controller to another one. To understand how it works, let’s take an example. Say, one of the customers has decided to start shopping in your online store. Before that, he or she shopped at another online store, but yours has lower prices. For more user’s convenience, the previous online store has to collect all the user data in the format for machine processing, and send the data to your store. This means that a user won’t have to enter the information about his or her favorite type of cell phones and cameras. Sounds great, doesn’t it? However, there’s no manual to how to provide this feature to customers yet.
One more important thing about GDPR is data breach notification. Each company now has to inform users and the body concerned within 72 hours from when the company found out about the user data breach.
Who is affected by GDPR
To make a long story short, all business, involved in data processing or monitoring EU citizens and residents, have to comply to GDPR, regardless of where the business’ office is. That also concerns companies already working with EU citizens and residents, no matter if the whole company or just a department is involved.
This is when you might want to know what to do, if an EU citizen is your customer by accident. According to GDPR, even in case there’s the slightest chance that you start processing data of an EU citizen, your company has to comply. However, GDPR doesn’t provide clear directions on how to identify accidental EU citizens and residents among all of your customers yet.
What steps businesses should take to comply
With the account of main GDPR standards, here’s a short list of recommendations to all of the businesses dealing with data procession or monitoring:
- Check if all the company’s ways of data collecting, processing and monitoring comply with GDPR.
- Encrypt and / or pseudonymize the data of your customers.
- Assign or hire a data protection officer.
- Provide a special training on GDPR to all your employees that are engaged in data processing and monitoring.
- Get ready to possible queries and requests from EU regulatory authorities and data subjects.
- Demonstrate the value of GDPR standards to your customers.
GDPR is a serious step ahead in user data protection, bringing new standards to data security all over the world. It is likely that customers will give more trust to companies that comply with GDPR. That’s why we recommend starting to implement the new data security standards as soon as possible, as this will help your company avoid huge fines and data breaches.
You can also subscribe to our secret newsletter to learn more about GDPR as we’re planning more articles on the topic. Don’t hesitate to leave a comment if you have any questions ;)