GDPR Changes and What They Mean for Your Business
GDPR or General Data Protection Regulation was initiated in 2012 and agreed upon by the EU in April of 2016. This spring, the GDPR will become the primary law that governs how personal information can be stored and accessed online. Why this may matter for your business is because all companies that touch European user data or plan to collect or store data that links to European users in any way now have to be in compliance. Here are some quick bullets on what you should know about this new regulation change and what your company should be doing as next steps.
When the process was first initiated, it focused on the interest of the company to encourage business in the EU
After Snowden, the regulations shifted to be much more focused on the user and protection over user data
Before, the Data Protection Directive focused only on companies operating with Europe. With GDPR, companies that collect or store any European customer data will be subject to the regulation.
Additionally, the new regulation expands upon data considered to be identifiers (it is much broader than the well know name and email identifiers and now includes data such as Twitter handles)
On a high level, these new regulations will require you to be able to easily access and delete user information, send alerts of data breaches, get consent from users before data processing, anonymizing collected user data
GDPR has higher penalties for not complying with the new regulations - 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
Companies should be prepared to comply by May 2018
Right to be forgotten: users have the right to ask to be deleted, this includes proof of the cleared record on ALL platforms that touched the user information
Right of Access: users have the right to ask for access a copy of all data that is being stored
Right to stop activities
What to do next...
See how the GDPR impacts your business
Have a PM look at how to update your process to be compliant
Shift company practices or processes to comply with new regulations
Privacy management mandates a risk based approach, and data protection safeguards must be designed into products and services from the earliest stage of development. (3)
Update documentation for personal information and security, including security breaches
If your website is very user-based or user-interaction heavy, you can try educating users through videos online, campaigns, etc. (4)
Facebook did this to teach people how to take greater control over their data and privacy on social media
Have a plan. Overall, the worst thing you can do is to not take action. If anything, map out a plan for how to proceed with the new regulations.
Feel free to reach out to us at firstname.lastname@example.org with any questions. We can help your team to map out new processes and best practices with your technology to ensure compliance in the coming years.
Also, if you want to just sit back and relax rather than read this full article, feel free to watch this 3-min video on the GDPR changes instead: https://www.youtube.com/watch?v=n5WJOncaHt4
Sources for more information:
In general https://ico.org.uk is an outstanding resource.