On May 25, 2018, the European Data Protection Regulation (GDPR) entered into force and non compliance could cost with huge fines to companies. This will change the way businesses and public sector organizations deal with customer information.
The premise of the regulation is to protect the personal data and privacy of individuals for transactions occurring within European Union member states (EU). It also regulates the exchange of personal data outside the EU.
One thing that companies outside the EU have to consider is that the General Data Protection Regulation will apply equally to all businesses that trade or do business with EU member states, regardless of where the business is in the world .
Here are some things you need to know about GDPR:
WHAT IS GDPR?
GDPR has been developed to protect the personal data of EU citizens and how they are collected, stored, processed, used, and even destroyed if they are no longer used. Legislation was created to give citizens control over their personal data.
WHAT DOES IT COVER?
Personal data includes IP addresses, location data, and internet identifiers. Sensitive personal data include biometric and genetic data. Other points include parental consent for child data processing, cross-border data transfer, how to prevent data breaches, and strict guidelines for notifying data breaches when they occur.
It also includes routinely required information from websites, including IP addresses and email addresses, physical device information such as MAC address of the computer, home address of individuals, birth dates and financial information on the Internet, including online transaction histories.
However, this is not all that GDPR intends to defend. Legislation also protects user-generated data, such as messaging social media (including individual tweets and Facebook updates) as well as personal images uploaded to any website, including those that do not show the likeness of the person who uploaded the image. GDPR also covers medical records and other unique information, which are usually transmitted on the Internet.
Basically, GDPR protects any and all personal user data on virtually any online platform.
Opt-In rather than Opt-out
According to GDPR, companies need to shift from an opt-outs approach to an opt-in approach.That is – instead of giving users an option to choose the data collected and stored, users should give permission to collect and use their data. This applies to newsletters and other platforms where their data can be collected.
European users have the legal right to inquire or appeal how their personal information is presented by algorithms such as those used by search businesses and the like.
WHO WILL BE AFFECTED AND WHAT DOES IT MEAN FOR BUSINESSES OUTSIDE THE EU?
GDPR does not apply only to companies in the EU but also to non-EU companies that trade goods or services to EU citizens. It also applies to companies that control or process data for an EU citizen, regardless of where he is.
It is important to note that under the GDPR, both processors and controllers are responsible for handling personal data of EU citizens (processors – process data on behalf of another company that are controllers).
All companies falling into those categories must comply with all GDPR requirements. That is why it is important – even for companies from non-EU countries – to understand and prepare for this.
- IP addresses and email addresses
- Physical equipment information such as MAC address of a computer device
- Home Addresses of Individuals
- Dates of birth
- Financial online information
- Online Transaction History
- Medical records
- Religious, philosophical or political beliefs
- Sexuality or sexual orientation
- Genetic or biometric data including fingerprints and DNA
- User-generated data, such as social media messages
- Photos uploaded to any website
- Any other unique personal information usually
broadcast on the Internet.
It’s your method of getting consent
- Freely given: Do opt-in users be enabled instead of opt-out?
- Failure to consent should not deny the provision of service
- Verifiable: Are the details regarding the granting of consent
and what was allowed to be properly guarded?
- Who is your data controller?
- What decisions do you make with the collected data?
- What data are you collecting?
- About What will you use this data?
- How long is the data saved?
- Are the mandatory data for the operation of your service?
- Do you transfer data internally?
- Who else has access to the data?
Once granted consent, users can …
- Find what you know about it with reasonable ease
- Revoke consent without fear of punishment
For compliance purposes, your consent data
get include …
- When they accepted
- What discoveries were made at the time they accepted it;
- How was the consent
- Whether they have withdrawn their consent or not
- Data breach
- Report to the relevant authorities within 72 hours of the disclosure of the violation