All About GDPR
First of all, if you’ve not heard about GDPR, then here it is: GDPR stands for ‘The General Data Protection Regulation’ and is the most important change within the regulation of data privacy in the past two decades, giving individuals more power over their own personal data. In particular, this affects the processing of personal data of all individuals within the EU.
Here are some helpful definitions you will need to know before fully understanding exactly what GDPR is:
- Personal Data: any information that can be used to identify an individual, from a name and an email address to medical data or even ethnic origin.
- Processing: any operations on personal data by organisations. This includes, but is not limited to, collection, recording, organization, structuring, storing, altering, using, making available and erasure of personal data.
- Controller: a body which determines the purpose and method in which personal data is processed.
- Processor: a body that processes the personal data in lieu of the controller.
GDPR was eventually approved by the EU Parliament on 14 April 2016 and came into effect on the 25th May 2018. This regulation protects the sensitive personal data from being irresponsibly processed by any organisation within the EU, whether or not the actual processing of this data happens within the EU or not. GDPR has been referred to as “the greatest gift to data security and privacy” within Unit4. Arnout Zandvliet, another within Unit4’s Centre of Intelligence for Cloud is inclined to agree and adds that GDPR “has boosted innovations around the topic in the product. And creating valuable product innovations is what drives me in my day to day job”.
GDPR was designed to unite the whole of Europe’s data privacy laws and thus has replaced the Data Protection Directive 95/46/EC. Arnout Zandvliet, one of Unit4’s Product Directors adds that “most of the regulations around data privacy were already in place… either as part of the Data Protection Directive, that was introduced back in 1995, or as part of local legislation around the topic”, and that the newly introduced GDPR only expands on this.
The ideology behind the entirety of Europe adhering to GDPR was to provide a common and consistent understanding and viewpoint when it comes to data privacy and the processing of such data. It was also to give individuals in the EU far greater control over their personal data than ever before. Arnout Zandvliet has also expressed that “[Companies within the EU] now have a unified (i.e. consistent) EU regulation on personal data”.
GDPR now ensures that individuals have the right to:
- Access: individuals have the right to have access to their personal data and how it is being used by the company. If requested, the company must provide a copy of the personal data for free.
- Erasure: individuals have the right to have their data deleted if they re no longer customers or if consent is withdrawn.
- Data Portability: individuals can transfer their data from one company to another in a structured, commonly used and machine-readable format.
- Be Informed: individuals must be informed by companies before data is gathered. Their consent to have their data collected must be given freely and not assumed.
- Rectification: individuals have the right to have their data corrected or completed, without undue delay.
- Restrict Processing: individuals can control whether their data is processed or not. Their data can still be stored, just not used.
- Object: individuals can stop their data being processed for direct marketing and this must then stopped immediately. This right must also be made clear to all individuals from the beginning.
- Be Notified: individuals must be notified within 72 hours of the discovery of a data breach where an individual’s data has been compromised.
- Non-Automated Individual Decision-Making: individuals must freely consent themselves and not subject to a decision based solely on automated processing.
“The compliance will be strict, and the hefty fine in case of non-compliance… has resulted in a huge boost in the awareness of the privacy and security of personal data. This level of awareness is really the biggest plus of the GDPR, as it makes everyone knowledgeable of data privacy and the implications if it is not respected”, Centre of Intelligence for Cloud Product Director, Arnout Zandvliet states. To be specific, the variety of fines are as follows: Violations of the organisation’s obligations will be subject to up to €10 million, or 2% annual global turnover. However, organisations found to be in violation of an individual’s privacy rights will be subject to up to €20 million, or 4% annual global turnover. It is important to note that these fines apply to all companies, regardless of its size and so it is necessary for precautions to be taken.
To help businesses avoid such fines, we at Myriad Consulting Ltd have put together some steps that your business should take in order to completely comply with GDPR:
- Data Mapping: it is essential that you know where all the personal data in your company comes from and exactly what is done with it. It’s also necessary that you know where this data is stored and who can access it as to limit risk to the data.
- Data Management: decide what information is necessary and delete all data that it not. By doing so, you will also reduce the cost spent on encrypting said data.
- Security Measures: take security measures throughout the company to prevent any data breaches from occurring. Also, set up protocols to make sure individuals are informed immediately in the event of a breach. It’s also necessary that your suppliers also set up these security measures, as your company will still be liable.
- Documentation Review: implied consent is no longer acceptable under GDPR. This means that you will most likely be required to update your privacy statements where necessary.
- Establish Data Handling Policies: seems obvious, but it is essential that your company is prepared for any/all clients to now act on each of their newly given rights in regard to their personal data. This means that protocols must be set in place for each of these situations before this does happen in order to prevent infringing GDPR.
Unit4’s Arnout Zandvliet thinks that there is a lot that can be gain by companies and believes that “the implications of the GDPR should not be seen as issues but as an opportunity to do things better. And this is exactly where Unit4 partners like Myriad excel in: finding better ways for our customers to excel in their business. Do they need to be knowledgeable of the GDPR and its implications? Definitely. Do they need to be data privacy experts? Not unless that is the expertise you’re delivering to your customers”.
In conclusion, it is of utmost importance that steps have been taken in order to prevent infringement of GDPR. It is clear that major reform is required, regardless of the size of your company, as the threat of a substantial fine is not to be taken lightly. But it doesn’t all have to be negative: these steps will make your company far more reliable, responsible and overall far more prepared for the future. As Arnout Zandvliet says: “ In the end [GDPR] is a good thing, as it will also spark the awareness of individuals or service users that their personal data is something valuable”.