Six months into implementation, the data privacy law set by the European Union has virtually set the cat among the pigeons.
General Data Protection Regulation, or more popularly known by the acronym GDPR, is a comprehensive piece of consumer protection legislation that was passed and finally implemented in May. As a result of the new law, many top companies, which used to take such regulations in their stride historically, have realized they have no room for error.
The two major reasons for this is that as mentioned, the law intends to cover almost every aspect of data privacy—who collects the data, how it is stored and maintained, and other contributing factors. If the rules are not followed, the fines and penalties are really severe.
If you are running any business even remotely connected to E.U. member countries, and if you own online resources that have anything to do with personal data, then you must know GDPR and its implications.
But lest you get concerned by the hype over this law, it should be clarified that once you understand the tenets of the law and follow them, you should stay clear of any penal action.
Here are some tips you may find useful.
Some Basic Factors in GDPR Explained
The moment you have made a decision to start a business in Europe or operate overseas, you may have several questions with regard to GDPR and whether it applies to your business at all.
Some of them are covered here:
On the question of applicability, GDPR does not allow any exemptions. Whether it is an individual or an organization, including startups, small, medium and big companies, everyone will fall within the ambit of GDPR. This is as long as you “process” or “control” personal data.
The law protects consumers within the E.U.’s 28 member countries. Companies that are based both in and outside of these countries must follow the law as long as they handle the data of E.U.-based consumers.
What Is Personal Data?
GDPR defines personal data to include names, addresses, identification details such as ID card numbers and even IP addresses if this information is captured within your website. It’s quite simple—if you have a page on your site that asks the visitors to divulge their name and other personal information so that you may establish contact with them later for any purpose, you would be very much covered under GDPR.
There are separate provisions for what is termed “sensitive data.” This can include a person’s profiling details, such as their ethnicity or political leanings or sexual orientation.
Similarly, any data pertaining to children will be classified as sensitive data and there will be a need for a parental consent to be obtained before capturing such personal data of children.
How are ‘Process’ and ‘Control’ Explained?
Processing of data encompasses virtually all such things that are done to data, including collecting information as described above, using it for any purpose and even deleting personal data. All of these actions constitute “processing” of personal data.
Companies holding payroll information of their employees too are a part of this definition, and the very same guidelines will apply with regard to protecting information.
On the aspect of controlling, GDPR introduces the concept of a “data controller.” This is done with the express purpose of fixing accountability for the actions within any organization as far as the use of data is concerned. If you hold the authority within your setup to decide what is to be done with the personal data collected by your organization, then you are a “data controller” and it’s your primary responsibility to comply with GDPR.
There are details spelled out on how exactly the processing of data is done at the end of the organization holding and processing the data. These entail transparent policies, letting the customers know the purpose for which their data is being processed and where legally bound, obtain their clear consent before the process is carried out.
Lawful Processing of Data
GDPR lays down that if you are in possession of personal data of your customers, you can use that data for legitimate ends as long as you follow the procedures laid down for that.
A whole lot of transparency is insisted upon for this exercise. You will have to take into confidence the person or persons whose data you intend to “process.” This will require you to let them know why you wish to use their personal data and with whom you would be sharing it.
You need to not only receive the explicit consent of those whose data intend to process but leave it open to them to withdraw this consent at any point in time. You would have to include the time duration your data will be sent out of your data servers. As expressed in the beginning, the framers of GDPR have spared no effort at making this legislation a thorough one, leaving very few, if any, loose ends.
The Penalty for Non-Compliance
As widely publicized, the fines imposed under GDPR for non-compliance is established through the due process of a data breach. An investigation will ensue to determine the extent of the damage.
The fine for non-compliance is 4 percent of the worldwide turnover of the defaulter organization or €20 million, whichever is higher.
Some General Suggestions
It is generally assumed that no organization would want to misuse personal data in its possession and invite penalty under GDPR. But the nature of electronic data storage is such that your storage systems could come under attack and the data stolen. Under GDPR, you are held responsible for such loss of data as well.
Therefore, companies have taken measures to make sure the data protection and malware detection steps are adequately taken even before any data is collected in the first place. If you have doubts or if you feel safer getting a second opinion, there are experts who can offer a data protection impact assessment (DPIA).
If you’re not based in Europe, your startup may need the help of such outside experts before you embark on expanding your business to E.U. countries.
Data privacy and data security are high priority areas and if your business is in Europe, awareness about GDPR and how to ensure compliance under it is essential.
e27 publishes relevant guest contributions from the community. Share your honest opinions and expert knowledge by submitting your content here.