Worse, 22% of organizations are unaware that they must comply with GDPR, even if they are based outside of the EU but hold data of EU citizens when the GDPR starts applying on May 25, 2018.
What is GDPR
These are a new set of rules with the goal of granting citizens of the EU more control over their personal data. GDPR is attempting to simplify regulations for both businesses and citizens.
What personal data? Any information related to a person including:
- Bank details
- Computer IP address
- Email address
- Medical information
- Location details
- Social media updates
Does it apply to you?
GDPR not only applies to organizations within the European Union, but those outside of the EU offering services or goods to businesses and citizens within the EU.
The regulations specify two types of data-handlers, Controllers and Processors:
If you are collecting, storing or managing personal data of any EU citizens, you are processing data according to the GDPR. If your website database, or other third party services you use like MailChimp, contain personal data like names and emails of EU citizens, you are processing.
Controllers will retain the primary responsibility for protection of data such as reporting data breaches promptly. These are often software providers that handle your customer’s data on your behalf.
Organizations can see penalties if personal data is not protected from exploit or misuse. Data must be collected under strict conditions and legally. If not, non-compliance fines could be 4% of global turnover or 20 million Euros, whicher is greater.
Record of consent
You now must have records that show an individual opted in for a newsletter or other similar request in the event the individual objects to receiving your communications. A time-stamped audit trail can help with reporting.
Tactics such as purchasing lists, or entering collected business cards into your CRM may not be as easy as they once were.
GDPR ensures consumers will be notified when their data has been hacked. Prompt notification to the proper authorities will be required so EU citizens can take action to avoid having their data misused.
- Individuals must be notified of breaches no later than 72 hours after having become aware of it.
- Right to object gives Individuals the option to request the use of their data stop being used for direct marketing at any time.
- Right to rectification allows individuals to access, amend, correct or delete their information.
- Right to be forgotten by having their account and data deleted.
- Right of access to inquire how their data is being used and request access.
- Right of portability requires the ability to have data exported in a commonly used electronic format, and free of charge.
Do you need a Data Protection Officer (DPO)?
If your organization handles large scale behaviour tracking monitoring of individuals, personal data concerning criminal convictions or special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or health conditions), you must appoint a DPO.
A GDPR Checklist
Establish procedures for handling personal data
If you don’t have these in place already:
- In the event of a data breach, what is your communication plan?
- How will you confirm the identity of the person requesting having their data transferred?
- How will you transfer an individual’s data if requested?
- What is your process for data deletion requests?
- What are your checks to ensure data is deleted everywhere in your system?
Review your disclosures and privacy statements
- How you protect individual’s data
- Instructions on how individuals can choose how they’d like their data processed (used).
- The rights of the individuals
- How long you you plan on storing the individual’s data
- Where the processing is based and where the data is stored
- Who you share the individual’s data with
- What types of information you have in your organization’s files about the individual
Apply security safeguards
If not in place already, you should have security methods in place to help prevent data breaches. This includes your outside partners with whom you share customer data with.
Document personal data
Where does your data come from, and how? Where does it live, are there any risks, and who all has access.
Only keep what you need
To help simplify your requirements, review the data you’re collecting and saving. If you can’t answer why you’re saving and archiving particular data, without a business or financial benefit, perhaps it should be removed.
As this evolves, we’ll be staying on top of these new regulations as a service to our clients.
Comments, questions? Share below!