There is a chance that your business, though it's not located in the EU or has a base there it could be processing personal information of EU citizens. It includes all Data controllers or processors which handle billing addresses delivery addresses, banking online credentials and other personal information.
The consumer must be aware of what data they provide will be processed in a clear and concise manner. Additionally, they have the option to opt out at any point.
What is the GDPR?
It's likely that you've received privacy alert emails from your bank along with personal email accounts as well as social media applications in early 2018 due to the updated European Union GDPR laws that were put into force in the early spring of this year. The privacy law constitutes a data protection law that is enforceable. It creates a single set of guidelines and authority for the protection of citizens in the whole EU as well as the EEA free trade zone.
The GDPR specifies a variety of objects to handle, process and secure information: data controllers the data processors and data subject. Data controllers are the ones who determine why and how personal information is processed, including what to do with it. These are business owners and employees. Third parties are processors of data. They do specific work to the controller. It could be cloud storage services like Tresorit or mail service providers like Proton Mail.
The subjects of data are those who have their information processed. The data subjects must read the document, and explicitly agree by taking actions to permit the processing of their PII. It's crucial to act in a clear manner, since it's not acceptable anymore for consent to be assumed through silence or inaction. The GDPR requires that individuals expressly consent to the collection of data that means check boxes and endless pages of legalese will no longer count as freely granted an informed, explicit consent.
The law gives individuals the right to request copies of the PII from any company that holds the information. Also, the law requires enterprises to offer this information in a form that's simple for other entities to utilize. This is a major shift in the majority of businesses, however it's an essential step to complying with GDPR.
Another key aspect of the GDPR is data portability, meaning that data could be transferred from a business in one place without having to be re-entered. This will benefit both the business and the clients.
The GDPR requires a business to overhaul its technologies and its data structure to remain compliant. In the end, all departments in the business must work together to identify where the majority of company's information is stored and where it's stored. Then, they will have to create a map of this information so that each detail about a particular person is dealt with appropriately.
What will the GDPR mean for my company?
The GDPR is among the most comprehensive and far-reaching rules that are affecting businesses in the present. It's in effect since May 25, 2018, and it brings many improvements to how firms handle personal data. This legislation affects all aspects of the business, from IT to marketing. The new standards also offer consumers a higher level of protection from advanced cyberattacks which include ransomware.
While GDPR has been in force for nearly a year yet, many companies are having difficulty implementing the requirements. Studies show that only 29 percent of firms are GDPR compliant. This is an impressive percentage, so it's an unsurprising that smaller companies have the greatest difficulty with complying with GDPR.
One of the major aspect of GDPR is that it requires all companies to have explicit permission from individuals before processing their personal information. This means that you cannot join a person's mailing list unless they expressly opt-in. You must also clearly explain the reasons behind your gathering of data and the way you intend to do with it when applied to. It is also necessary to demonstrate that the person's permission was granted as well as proof that they are aware of their rights as a legal person.
The GDPR further requires that each business only collects data that is necessary for the purpose of processing. It means you cannot employ CCTV to keep an eye on your office nor use Google Analytics to track who visit your website even when they're not a client or prospective customer. The GDPR further states that all personal data collected should be handled in a secure manner.
As a result, the GDPR made businesses rethink the policies they use to handle data and privacy policies. Particularly, the e-commerce industry was affected as it needed to devise new procedures as well as protocols for collecting and processing data about its customers. Sometimes, this has presented a problem, because certain businesses had to sacrifice certain functions on their platforms and websites in order to comply with the GDPR.
What can I do in order to get myself ready for GDPR?
The GDPR goes into effect 25 May 2018. The law requires companies to alter their current information security procedures to ensure compliance. Firms that do not comply with the regulations of the new law could be penalized up to 20 million euros or 4 percent of their global revenue (whichever is higher).
To prepare for the GDPR, start by conducting an exhaustive audit of your company's information. List all personal data that you collect, store, and use. Consider how the information is related to the legitimate reasons as defined by the GDPR. Create your action plan by identifying specific areas that you'll need to implement changes. Be sure to make sure to prioritize your actions in relation to risk and do not forget to provide resource (time/budget) estimates for each job.
Then, look over any third-party services or companies that you work with. You should ensure that they are compliant with GDPR as well as are in agreement that includes any transfers of personal data to the EU. Also, you should conduct a risk analysis of the processes and procedures dealing with information about children as the GDPR has increased standards for verification of age data processing, consent, and age verification.
Be sure all consents for make use of personal information are explicit complete, precise, and easily revocable. Additionally, be sure to examine any processes you currently have established to deal with requests from individuals to exercise their extended rights and rights, including the right to be informed; the right of access in addition to the right of rectification and the right to limit processing; the right contest automated decision making which includes profiling; as well as the right of erasure.
Finally, be sure that your company is prepared to deal with data breaches involving personal information by setting up an internal response team, and establishing a strategy for educating affected users. You may also consider the appointment of the Data Protection Officer, if necessary. Also, ensure that the privacy policies in your organization are up-to-date and readily accessible to everyone in the organization.
What do I need to do in order to minimize having GDPR affect my company?
The impact of GDPR on your business is largely determined by your method of controlling personal information. The law defines personal information as information that can identify an individual. It includes name, contact details, financial information such as medical records, and IP addresses. This is why you must comply with the GDPR's regulations if are collecting this kind of information. Without this, you might face fines and other penalty.
The good news is that you can shield your company from the ramifications of GDPR by putting processes in place to make sure you're in conformity. For starters, do a thorough data audit to find out what information about your personal is in the public domain and how that data is being used. After you've completed this audit and you've compiled the plan to review and update the privacy policies for your data and procedure. There may be a requirement for a double opt-in to sign up to your newsletter. Also, make sure that your company is legally authorized to obtain information about people and also ensure that all your contractors and partners in the company are on board with the GDPR.
A process to identify and take action against the possibility of data breaches is another means you can avoid GDPR impacting the business. It is a requirement of the law that you must notify regulators within 72 hours of discovering an incident, which is why you'll need to establish systems in place that can quickly detect and contain data breach. It could include forming teams that will be able to look over every piece of data, both new and old for compliance with GDPR requirements, adding consent forms on your site that clearly explain the methods by which your organization uses personal data in addition to implementing a process that allows for the revocation of consent for current customers in addition to reviewing and updating contracts with third parties to ensure they comply with the GDPR.
It is also crucial to keep in mind that the GDPR impacts businesses of all sizes, not just those in the EU. All businesses that deal with data derived from EU citizens or those in the European Economic Area are required to comply with the GDPR's requirements.
Under the GDPR, consent is one of the most important requirements for gdpr gap analysis customers and companies are not allowed to hide certain terms and conditions in contracts that consumers don't understand. This is a positive thing for the users as it will boost confidence in your business. It also encourages you to streamline its data platforms which can prove beneficial for departments like sales and marketing that will benefit from a better targeted customers.