General Data Protection Regulation specifies how customers data can be used and protected. The primary objective of the GDPR is to give citizens control of their personal data. Failing to comply with GDPR can cost you 4% of global turnover or €20 million or whichever is greater.
3. Early 90’s
● Adoption of Directive 95/46/EC by EU in 1995 with regards to protection of
individual’s data on free movement basis.
● Unlike the US, EU views privacy as a fundamental human right.
● Americans easily give control of personally identifying data, as long as the
data is protected and used responsibly.
4. Safe Harbor Agreement
● EU has a strict policy regarding the movement of its customer's data on EU
to another location until there has been a privacy agreement between the
two parties.
● The growth of e-commerce market and data transfer - Safe Harbor
Agreement was reached between US and EU in 2000 which promised to
protect EU citizens data.
● It allowed US companies to self certify that they will protect EU citizens
data on their servers.
5. Demise of Safe Harbor Agreement
● In 2013, Edward Snowden reveals that certain U.S. intelligence services are
tapping into internet company’s servers and accessing personal data.
● On October 6, 2015, after finding out the data leaks, EU court invalidated
the Safe Harbor Agreement declaring that it has violated fundamental
rights to privacy of EU laws.
● With the demise of Safe Harbor and the increased flow of data
information, the European Parliament adopted GDPR in April 2016 which
finally would be effective from 25 May 2018.
7. GDPR
● GDPR is more like fundamental rights of the citizen living in EU that specify
how customers data can be used and protected.
● The primary objective of the GDPR is to give citizens back control of their
personal data.
8. Business Implications
● The rules are strict and heavy penalties can be levied for those who don’t
comply with GDPR, the organization could be fined up to 4% of global
turnover or €20 million or whichever is greater.
9. Whom does GDPR applies to?
● Controllers: organization or entity that determines the purposes and
means of processing personal data.
● Processors: organization or entity that is responsible for processing
personal data.
It basically applies to all organization operating within and outside Europe
providing goods and services to individuals in the EU. The GDPR does not apply
to certain activities including processing covered by the Law Enforcement
Directive, processing for national security purposes etc.
10. What information does GDPR applies to?
Personal Data
● Online identifiers – name, email, phone etc
● Device identifiers - number associated with a smartphone
● Cookie ID
● IP addresses
● Sensitive like genetic and biometric data
11. Getting Ready
To prepare for the new EU GDPR, organisations will need to have a clear
understanding of their current compliance position.
● What personal data they process?
● Where it is across their organisation?
● Where it is transferred from and to?
● How secure is the data during the whole transition?
13. Store data in an organized manner
● Answerable to the person regarding what data is being stored
● If GDPR does any investigation, you can say you are taking proper steps to
control the data.
You’ll need to organise any data you’ve collected from customers and
suppliers, as well as any past and present employees.
14. Encrypt your data
If your data storage is digital, ask yourself the following questions:
● what device(s) is it on?
● Do I have an antivirus software?
● Can I remotely erase the contents if the device is lost?
● Are hard copies locked away securely?
● Who has access to these data?
15. Don’t hold onto data unnecessarily
● You should be aware of the data that you are taking from the customer and
know how would be processing that.
● Just keeping that data so that it would be helpful in future would be
against the compliance so better delete those data.
16. Clear and simple privacy policy
The key is to rewrite the privacy policy in clear and layman’s language avoiding
technical and account jargon. You should include the following in your policy:
● What information is being collected?
● Who is collecting it?
● How is it collected?
● Why is it being collected?
● How will it be used?
● Who will it be shared with?
● What will be the effect of this on the individual(s) concerned?
17. Respond to data requests
The Rights to Access: If someone asks you what data you have on them, it
must be given to him within 1 month time and that too free of charge in
electronic format. This is also why storage is data is must in an organized way
so that you can easily get that.
18. Correction of inaccurate data
The Rights to Rectification: If the data owner has made request for the
rectification of inaccurate data related to him or her for further processing, you
should have the process to make changes without undue delay.
You can collect the data from the owner either through email or hard copy and
make the correction as required
19. Data breach notification
The Rights to be notified: If your organized has recognised any data breach, it
must be notified to the Data Protection Officer and the data owner about the
data being breached within 72 hours.
Providing notification keeps the data owner pre-informed about the data leak
so that he can take any precautionary measures .
20. Transfer of data
The Right to Data Portability: If your consumer has made request to obtain
their data to pass on to other controller or processor, you are legally obliged to
provide the data in readable format and you will not have any authority to
hinder the data while transferring.
21. Deletion of data
The Right to Erasure: If someone asks you to delete their data, you are legally
obliged to do that. You need to have a process to delete the data and make
sure that it’s no longer available in your records.
Keeping the data in organized manner makes it easier them and delete them as
necessary and you would not get stuck in the mess.
22. Allow people to opt in for storing data
The right to be informed: Previously, any marketing material comes with
automated checkboxes that allow organizations to store data of its customers
but now you need to have customers positively opt into your storage of their
data for marketing purposes.
23. Have an easy way to unsubscribe
If someone has requested to unsubscribe from your marketing material,
provide them with an easy way of instruction on mail, texts etc so that they can
do that and you obliged to unsubscribe them from the list.
24. GDPR as a marketing factor
● European customers will trust you if you are GDPR compliant.
● Make GDPR as part of your terms and condition or show at footer of
emails.