Few people know this, but there’s a new law coming on May 18, 2018 called the GDPR.
And while it’s all about the European Union and how data is to be managed and protected, the new regulation is far-reaching.
If you’re doing business in the EU or have clients or staff based there, grab a cup of coffee (or tea) and eliminate all distractions. I’m about to give a crash course on the GDPR.
Disclaimer: This is not an exhaustive resource of information on the GDPR but a summary of major points that impact your business. If you need help becoming GDPR compliant, I’ve included a resources section at the end of this blog post with links to other articles for further reading.
What is the GDPR?
The GDPR, or General Data Protection Regulation, is a new set of rules that govern how your business can retain and use personal data of any EU subjects.
What is an EU subject?
An EU subject is any natural person residing in the European Union.
What is considered personal data?
Personal data is any form of data that can be used to directly or indirectly identify a person. This includes:
- Email addresses
- Bank details
- Posts on social networking websites
- Medical information
- Computer IP addresses
The origins of the GDPR
The GDPR picks up where the Data Protection Directive 95/46/EC of 1995 left off. The Data Protection Directive served well for many years, but as technology developed, changing the way data can be used (think social media, retargeting, email marketing), there was a need to update the directive and the GDPR was born.
How does a business become compliant?
Here are five steps to achieving compliance:
- Access all your data sources
Investigate and audit all personal data that is being stored and used across your business landscape. The regulation requires businesses to be able to prove that they know where personal data is – and where it isn’t.
- Identify what personal data can be found in your data sets
Personal data is usually stored in semi-structured fields. You’ll need to be able to analyse each field to extract, categorise and catalogue personal data elements like names, email addresses and identification numbers.
- Establish governance
Privacy rules must be documented and shared across your business. These rules need to account for who has access to data, what the nature of that personal data is and how it will be used. This will require the development of roles and definitions to make your governance model effective.
- Protect your data
There are three ways in which you can protect data: encryption, pseudonymization and anonymization. You must apply the right technique based on the user’s rights and how the data will be used – without compromising your growing need to utilise the data in various ways in the future.
- Perform an audit
The final step in the compliance process is reporting. You’ll need to show the regulators that:
- You know what personal data you’ve collected and where it’s located;
- You properly manage the process for acquiring consent from people you collect data from;
- You can prove how personal data is used, who uses it, and for what purpose; and
- You have the appropriate processes in place to manage the right to be forgotten, data breach notifications and more.
If a user is not happy with how I manage data or wants to complain about data misuse, what does the complaint process look like?
Issuing a complaint is more complicated than becoming compliant. The complaint process is 18 steps long, and for simplicity, here’s a useful compliance process map created by the International Association of Privacy Protection:
Get the IAPP GDPR Complaint-Process Document here
What are the penalties for non-compliance?
Penalties for breaking the rules are hefty and could cripple or bankrupt many businesses. According to regulation, businesses can be fined up to 4% of annual turnover or €20 million (whichever is greater). For a South African business, a penalty of this size equates to around R294 million.
What if my business gets hacked?
The GDPR accounts for data breaches and has very specific requirements in case you suffer one.
Data breaches must be reported to the supervisory authorities within 72 hours of the discovery, unless the breach is unlikely to impact the rights and freedoms of the natural persons concerned.
GDPR is coming, and if your company trades in the EU or has staff based there, it will influence the way you do business. Don’t wait too long to achieve compliance or you could have bigger problems to deal with.
Beat Man-in-the-middle attacks with Strong SSL Encryption on your website
TrustTheSite.com is a platinum reseller of VeriSign, Thawte, GeoTrust, Comodo, RapidSSL and Digicert SSL certificates. We offer the best pricing backed by personalised client support.
Call us on +27 23 004 0196 for a free no obligation discussion about your business needs and we’ll help you find the right certificate for your brand.