GDPR: What is GDPR? How will GDPR Really affect your Business?

by Shweta Patel

The General Data Protection Regulation (GDPR) is set to overhaul the way businesses to collect, store, and process data. Building on existing legal framework, the GDPR regulations must be adopted by 25 May 2018 – and businesses which fail to comply face the prospect of hefty fines.

The countdown is on until The General Data Protection Regulation (GDPR) will finally come into effect. Since the announcement in May 2016, businesses have been given a two-year transitional period, before it finally comes into force from 25 May 2018.

How GDPR will impact your business depends on some factors, including your location and number of employees. The looming deadline certainly means all businesses should evaluate whether they comply.

What is GDPR?

The General Data Protection Regulation was designed in an effort to update the existing Data Protection Directive, which dates back to 1995. Since then our lives, both personal and work, have become more reliant than ever on the internet. Living in a digital world has transformed how we use, share and store information.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

There is no distinction between personal data about individuals in their private, public or work roles – the person is the person. Also in a B2B setting, everything is about individuals interacting and sharing information with and about each other. Customers in B2B marketsare obviously companies, but the relationships that handle the business topics are people – or individuals.

What Rights Does The GDPR Provide?

The Right of Access

Individuals have the right to gain access to their personal data at any time. They also have the right to ask how their data is being processed. If requested, the organisation is obliged to provide the information in electronic format, free of charge. However, the ICO state that “you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.”

The right to be forgotten

If consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.

The Right to Be Informed

Companies collecting data are obligated to provide “fair processing information”. They can do this through a privacy notice, where consent is then clearly given. The privacy notice must be concise and transparent in their intentions, and easily accessible. If this data is accessed by an unauthorized third party, for example, loss of data or hacked, it is the organization’s responsibility to inform the individual. If there was, in fact, a data breach and an individual’s personal information was compromised, the organisation has 72 hours to inform them.

The rights to data portability 

Individuals havea right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.

The Right to Restrict Processing

If requested, the individual’s data may be stored but not processed. This means the organization may retain enough information to ensure this restricted further down the line

The right to object

This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.

The right to be notified

If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Rights Related to Automated Decision-Making & Profiling

Protects individuals from potentially damaging decisions that are taken without human intervention.

What are the highest impacts of the GDPR? 

GDPR will impact all businesses operating within the EU, whether data processing occurs there or not. Non-EU businesses and organisations that offer goods and services to EU citizens will also be subject to GDPR legislation. If your business offers a free online service, but you collect IP addresses or track cookies, through form submissions, for example, you will still be subject to GDPR.

Perhaps the biggest challenge GDPR poses on businesses is the required detailed recording and processing of user consent. Compliance is moving away from box-ticking. When in effect, businesses and organisations will need to keep detailed and time-stamped records of when a user gave consent and how their data was processed.

Overall, the impact of GDPR on your business will likely require substantial modifications to how you process, store and protect your customers’ data. From now on, storing personal data of EU residents is only legal when there’s consent. Additionally, businesses must erase personal data upon request and report data breaches within 72 hours to supervisory authorities.

In preparing for GDPR, ensure your business has appointed a data protection officer, inform stakeholders on the changes prompted by GDPR, implement a thorough risk assessment and have a plan in place to report your GDPR compliance. These precautions will help to mitigate risk.

How Businesses Should Prepare for GDPR?

Observe all the origin where the data comes from

Observe and analysis where all the personal data within in the business comes from and how it is processed. Document where that data is stored and who has access to it, and make note of all potential risks. Assess how easy it is for customers to remove consent or request their data to be permanently deleted.

Modify what data you need to keep

Don’t keep more information than necessary and remove any data that isn’t used. If your business collects a lot of data without any real benefit, you won’t be able to do this in a GDPR world. 

In the clean-up process, ask yourself:

• Why exactly are we archiving this data instead of just erasing it?
• Why are we saving all this data?
• What are we trying to achieve by collecting all these categories of personal information?
• Is the financial gain of deleting this information greater than encrypting it?

Certify applicable security in place

Modify where data is stored and processed. Certify all the necessary precautions, security measures and a full plan of action are in place, should a breach occur.

Develop and implement safeguards throughout your infrastructure to help contain any data breaches. This means putting security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur.

Initiate Strategy for Grasping personal data

It is vital that businesses have established procedures in place in relation to each of the 8 GDPR Rights. 

For example:

1. How can individuals give consent in a legal manner?
2. What is the process if an individual wants his data to be deleted?
3. How will you ensure that it is done across all platforms and that it really is deleted?
4. If an individual wants his data to be transferred, how will you do it?
5. How will you confirm that the person who requested to have his data transferred is the person he says he is?
6. What is the communication plan in case of a data breach?

To Wrapping Up

The GDPR is a great thing, as it ensures that we get more control over our data and forces companies to improve security. For the organizations that have to comply with the GDPR, the regulation is less fun, as it might cost companies a lot of money to update their security, some more than others. 

Once in effect, however, this transparency will improve the relationship between that of the business and the consumer.