Have you ever stopped and contemplated how drastically the internet has changed our everyday lives, interactions, communications and tasks handling? We send emails, share documents, pay bills, and purchase goods by entering our personal details, all online, and without a second thought.
Now, have you ever wondered how much personal data you have shared online, and what happens to that information? You have probably been told by many companies that they collect some of this data so that they can serve you better, hence to provide you with a better customer experience.
From a business point of view, you might have enjoyed these flows of data, which have created new infrastructure, new ventures, new partnerships, new politics and even new economics. And as certain companies seem to have made a fortune off of this practically-freely available information, data has become a clear driver of growth and change.
It is no surprise that tensions arouse between the data markets and privacy advocates. To reduce risks of misuse, the EU (which for the time being still includes the UK) introduced in May 2018 its new General Data Protection Regulation, which primarily aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU and the EEA.
A key component of the GDPR legislation is privacy by design; it requires that all departments in a company to look closely at their data and how they handle it. If you are interested in finding out about the implications of GDPR for your business, even if it is based outside of the EU and the EEA, we have a great blog on such implications.
Briefly, individual’s rights under GDPR guarantee the following: Data must be processed in a transparent fashion, collected and used for a specific purpose and only that purpose while maintaining that data in an accurate, secure manner until such time its specific purpose of use has expired, and must then be deleted.
As a business, you will have to take quite a few steps in order to be compliant with GDPR, and here are just a few ways to get started:
- Map Your Company’s Data
Track where all of the personal data in your entire business comes from, and document what you do with the data. Identify where the data resides, who can access it and if there are any risks to the data. This is not only important for GDPR, but will help improve Customer Relationship Management.
- Determine What Data You Need to Keep
Don’t keep superfluous information, and remove any unused data. If your business collects a lot of data without any real benefit, you won’t be able to do this in a GDPR world.
In this disciplining the clean-up process, ask yourself: Why exactly are we archiving this data instead of erasing it? What are we trying to achieve by collecting all these categories of personal information?
- Put Security Measures in Place
Develop and implement safeguards throughout your infrastructure to help contain any data breaches. This means putting security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur.
Make sure to check with your suppliers also. Outsourcing doesn’t exempt you from being liable, you must make sure that they have the right security measures in place.
GDPR data breach email template
- Review Your Documentation
Under GDPR, the rules on consent have changed. Pre-checked boxes and implied consent will not be acceptable anymore. You will have to review all of your consent statements and disclosures, and adjust them where needed.
- Establish Procedures for Handling Personal Data
As we mentioned earlier, individuals have 8 basic rights under GDPR. You will need to establish policies and procedures for how you will handle each of these situations. Here are some questions you might want to ask yourself: How can individuals give consent in a legal manner? What is the process if an individual wants his data to be deleted? How will you ensure that it is done across all platforms and that it really is deleted? If an individual wants his data to be transferred, how will you do it? How will you confirm that the person who requested to have his data transferred is the person he says he is? What is the communication plan in case of a data breach?
Despite not being North American, GDPR has international implications, and it’s most certainly not something companies doing business abroad, and basically any online business, can afford to ignore. In fact, it just might be the little kick needed to set clear boundaries between both companies and consumers who do business with those companies. In a way, the firmer approach of GDPR simplifies matters relating to data and privacy in the business world, which is now decidedly global.