Data protection and privacy has become the most hotly debated topic in recent years. With multiple cases of data misuse coming to light, internet users are now more vigilant than ever before about the protection of their personal data. In May 2016, the European Union Parliament approved and adopted a new set of regulations for data protection known as the General Data Protection Regulation (GDPR). It was enforced in May 2018, and is regarded as the strongest data privacy law in the world.
Who Does The Law Cover?
Given that the law was passed by the EU Parliament, it does create some confusion as to why the effect of GDPR has been far-reaching outside the EU. As expected the law covers individuals and companies within the EU, however, it also covers any company that provides services to people in the EU or that monitors people in the EU. For this reason, such companies must also ensure they comply and sign agreements related to GDPR compliance.
If you are in the EU or if your head office is located in the EU or if you serve clients and users in the EU, you must adopt GDPR compliant processes. If you don’t fall under either category, it is still a good practice to adopt GDPR compliant mechanisms. This applies not just to companies that directly collect data but also to ISPs and companies that provide development services and so on. If any of your processes involve storing or collecting customer data, GDPR compliance is something you should look into.
What Rights Will You Need To Provide Your Customers To Be GDPR Compliant?
As a business, you will be required to provide, at the least, the following rights to your customers to be GDPR compliant.
- Right to be forgotten: Your customers should be able to request the deletion of their personal information in your possession. And this needs to be carried out in a timely manner.
- Right of Access: Customers should be given full access to their personal data.
- Right to Restrict Processing: Customers should have the option to block the processing of their personal data either selectively or completely.
- Right to Data Portability: Users of your services must also be granted the ability to download or export their data.
- Rights Related to Automation: If your service processes data automatically for any decision making, then you will need to provide your customers with sufficient information about the process as well as a means to request human intervention.
What’s The Penalty For Non-Compliance?
The maximum penalty for non-compliance is a hefty fine of €20 million or 4 per cent of the company’s global turnover, whichever is higher.
How Are Companies Complying With GDPR Regulations?
What Is The Most Essential Step You Must Execute In Order To Undertake Any GDPR Compliant Strategy?
The most important thing you need to do in order to undertake any GDPR compliant strategy is having customer or user data stored in a secure and centralized location. This will make it easier when people request access to or deletion of their data. It saves you from having to update multiple databases when users request changes of any kind. Furthermore, customer data of all branches or departments under the company must be stored centrally. This way data that is shared between departments and branches can be easily tracked for changes.
What Is Responsible Data Collection?
Customer data collection is of key importance to many industries especially the retail industry. Almost all retail stores around the world, especially in the Middle East, have an option for customers to use some kind of rewards card by sharing their personal information. Details like customer’s name, phone number and email ID needs to be collected and stored sensitively.
You should be able to answer your customers as to why you require this information and how you will ensure it is kept safe. Furthermore, you should also be able to delete the same at the customer’s request. As a customer, they should have access not only to their personal information but to information on how and where their information is used and with whom it will be shared.
At any point in time, the customer should have the option to opt out from any communication from the business.
How Can You Collect Data In A GDPR Compliant Manner?
- Obtain explicit consent: Consent is key for data collection in a GDPR compliant manner. Customers need to give their consent explicitly and as a business, you must acquire explicit consent prior to using any data.
- Say no to opt-out boxes: Prior to GDPR many businesses used to have opt-out boxes in their data forms which implied that customers by default opt-in to their service unless explicitly stated by an opt-out. GDPR rules this out as ambiguous consent and businesses cannot use this anymore.
- Renew consent: If you plan to deploy new processes on data you’ve already collected you will require a renewal of consent from your customers so that they are aware of what is being done with their data.
- Revamp data collection forms: Revise any data forms you’ve made prior to the enforcement of GDPR and ensure they have tick boxes and any other necessary mechanisms in place for you to collect explicit consent.
- Review your data processes: Ensure your data storage and processing is completely secure. Additionally, it is a good practice to create a data map that lists out what information your business collects, where it is stored, who has access to it and when it will be disposed of.
GDPR goes a long way in protecting its people and their personal information. Modelling services around these regulations is a step in the right direction for a more connected yet safer world.