GDPR: All You Need to Know to Be Compliant!

Shaan Ray

·

Follow

Published in

codeburst

·

4 min read

·

Jun 5, 2018

--

Listen

Share

Introduction

The General Data Protection Regulation (GDPR) is a set of rules under EU law thatwent into effect on May 25, 2018. The purpose of the GDPR is to give EU citizens more control over the way their personal data is handled, stored, and accessed. Crucially, through the GDPR, European policymakers are restricting the ability of companies to sell consumer data. The GDPR applies to all companies transacting online with EU citizens. Since anyone almost anywhere can access an online service, essentially every online service should comply with the GDPR.

Who it affects

The GDPR harmonizes all existing data protection regulations across the EU. Any organization based in the EU, that sells products or services to EU citizens must comply with the GDPR. It also applies to organizations that have an establishment in the EU or monitor the behavior of its residents, if they collect or process Personal Data.

Personal Data is defined as “any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (EU Data Protection Collective).”

The GDPR is considered a ‘statement of fundamental rights’ within data protection.

Compliance Requirements:

1. Consent

• “Silence pre-ticked boxes or inactivity do NOT constitute consent.”
• A company has to use terms and conditions that are easy to understand and refrain from using legal jargon
• Users must be able to withdraw consent as easily as they give it
• Consent for children must be given and verified by the parent

2. Breach Notification

• Any breach of data must be notified to impacted individuals without “undue delay” and within 72 hours to data protection authorities

3. Right to Access

• Individuals should easily be able to find out what personal data is being processed, where it’s being used and for what purpose
• A document should be provided free of charge if asked for
• Confirmation of personal data use

4. Right to be Forgotten

• The Data Subject is entitled to have personal information erased by data controller upon request

5. Data Portability

• Allows individuals to obtain and reuse their personal data for their own purpose by transferring it across several IT environments

6. Privacy by Design

• Must have data protection in place from the onset of data collection systems, that is, implementing the vital technical and infrastructural measures.
• Article 25 requires data protection to be designed straight into the development of business processes.
• This includes ‘pseudonymising’ personal data — ‘de-identifying’ it and replacing it with artificial identifiers

7. Data Protection Officers

• Public authorities, organizations that engage in large scale systematic monitoring or processing of sensitive personal data must appoint a data protection officer

How to make sure you’re compliant

Preliminary Steps:

1. Run a personal data audit: identify what personal data you collect
2. Gap analysis: from your audit, identify the areas that require change
3. Create the appropriate governance structure to manage compliance

Customer- Facing Areas:

1. Follow the compliance requirements
2. Only collect data that you need — if you are not going to use the information, don’t ask for it
3. Find out if you possess any sensitive personal data. If so, use processes to obtain explicit consent
4. Update automated processes
5. Update privacy notices
6. Identify any additional purposes
7. Enhance anonymization and pseudonymization of users and their data to stay in line with GDPR principles

Sanctions

• An organization that is in violation of the GDPR may be fined up to €20 million or 4% of global turnover (whichever is higher).
• A warning may be given for a first, unintentional non-compliance
• Regular periodic data protection audits

Restrictions

The GDPR does not apply when it relates to the following:

• National security, army, police, justices
• Statistics and analysis
• Deceased persons
• Laws on employer-employee relations
• Processing of personal data by natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity

Impacts on Business

• Restrictions on commercial use of information
• Compliance spending
• Increase trust in consumers — data privacy is incredibly important to European consumers
• Protect consumer data security rights

Conclusion

The GDPR is here to stay. It is essential that startups and companies incorporate a compliance mechanism into their systems or choose not to service users in the EU. Larger firms should consult their legal departments, or appoint a high-level officer with responsibility for keeping the company compliant with the GDPR and similar current and emerging regulations across the world. It is important to tackle emerging privacy regulations proactively, since it is easier to phase in compliant processes early than to re-design a business later.

—

Shaan Ray

Follow Lansaar Research on Medium for the latest in emerging technologies and new business models.

✉️ Subscribe to CodeBurst’s once-weekly Email Blast, 🐦 Follow CodeBurst on Twitter, view 🗺️ The 2018 Web Developer Roadmap, and 🕸️ Learn Full Stack Web Development.