How to prepare for GDPR?
Every small, medium and large organization that processes personal data of EU citizen will have to be compliant with GDPR but getting to grips with GDPR can be challenging. Where to start, and what does GDPR actually mean. Large corporates like Facebook, Google and Twitter have complete departments specialized in IT law to ensure compliance but what if you just run a one person company that runs an e-commerce website with thousands of visitors per day. There are many questions and there is already a lot written about GRPR. In this article, a view on GDPR from the perspective of an SMB/SME within and outside Europe. Also included: a link to our GDPR compliance KIT.
What on earth is the GDPR?
GDPR stands for General Data Protection Regulation. It a completely new regulation of the European Union which took effect on 25 May 2018. Best described as “(the) most sweeping overhaul of regulations on personal information for last two decades.” It will reshape the internet!
What is GDPR?:
- It’s a new set of EU laws regarding how companies can process and gather data on EUR citizen;
- It makes organization directly accountable for what they do and don’t do with sensitive EU citizen data. This also includes governments agencies and other public associations;
- Non-compliant? The GDPR allows for fines of up to the higher of 4% of annual worldwide turnover and EUR20 million;
- The impact of GDPR reaches far beyond the world of marketing. It even needs to be implemented within applications (Privacy by design, security by design, and GDPR by design);
GDPR makes sure that every EU user of any online services - whether their Twitter accounts, eBay, Paypal, shipping information or more comprehensive cloud computing package – is able to control their data.
A long history: Why GDPR is happening?
Although the basic concepts of respecting privacy were written down during an EU convention on human rights in the 1950s, they were not designed for the electronic/online storage of personal data.
In the 1980s, when computer became more popular and where more and more for processing personal data in an automated way, the European Council held a convention. During this convention, the first guidelines were set out for EU members specifying what is wrong and what is right. This was the foundation for Data Protection Act created in 1984 by the UK.
Computing power grew exponentially and found its way into the living room of people. This was the reason for another EU convention in 1995. The so-called Data Protection Directive was created. The main purpose of this was to set a higher general standard, on how EU data may leave the EU and how this directive can directly apply to countries, not within the EU. In 1998 the UK came forward with the Data Protection Act 1998 and many other countries followed by creating their own versions of the DPA. The disadvantage? Many versions and largely incompatible with each other.
In 2012 the EU finally recognizes they needed to synchronize each of the DPA versions and design one standard for the entire EU. Also, DPA was merely directive and not a law. Change was needed! In 2014 GDPR was proposed as the new legislation for replacing DPA. After 2 years negotiating between the European Parliament and EU counsel and an agreement was reached and the GDPR law got approved and put into place. Due to the complexity of the law, it was decided to grant a two years implementation time.
What do you need to know about GDPR?
The most important thing to remember regarding GDPR is that companies can’t hold sensitive personal data without that person’s consent. People must always be able to in control of their own data. This includes everything from their name, phone number and email address to internet browsing habits, ID, gender, financial records, political opinions and health data.
What does this mean?
- You must obtain user consent to hold his or her data. There is just one exception. If you were clear as to why you needed the data in the first place and already have consent about that you don’t need to re-consent. Consent needs to unbundled consent. Yes, consent for receiving a newsletter is something else than getting consent for receiving offers, and yes means more opt-in buttons! Even worse standardized buttons according to a certain format and styling and not only human readable but also readable by machines!;
- Complete transparency. You need to tell people what data you are collecting, how, why and for who you are doing it;
- You even need to tell how they can get themselves removed from it because users and non-users have the right to withdraw their consent. Withdrawal means, that you are responsible that every piece of data of the user gets removes. This includes removal from backups or massive unstructured databases. One exception. The national legislation goes first(still). For example, if the German tax law insists companies to keep user records for 5 years, then the records must be kept for 5 years but still need to removed afterward!;
- You as an EU citizen can ask any company inside and outside the EUR to give you the data which they hold on you even if you are not a user;
- Every organization will need to assign a person accountable for the data and who can respond in case of a data breach. Any cyber-attacks or accidental leaks breach a company’s security, must be reported within 72 hours;
- Complete insights in how the data is processed. Every organization must be able to pull all the data out of the system and show how it is being used;
- Profiling people by automation? You need to inform the EU citizen involved (User or non-user) how and what you are going to do with the data;
- Depending on the size of the organization you need to ensure compliance by hiring a data controller, data processor, and data protection officer;
- Everyone in the organization needs to have a basic understanding of Management needs to be briefed and maybe even trained to ensure compliance;
- A complete data inventory can make sure that organizations are able to identify the exact risks. Each of the internal policies on data and privacies, need to be harmonized with GDPR what means that you might need to update existing contracts, privacy statements, data-security implementation and even application designs.
How will GDPR impact the US, UK, and even China?
GDPR is also serious business for organizations outside the EU! If you are an organization outside the EU processing, storing data on EU citizen directly or indirectly then you need to take action. GDPR applies to any organization that storages or processes data on EU citizens regardless of where it is HQ is located. This includes companies that have employees in the EU, sell or market products or services in the EU, or has partners or customers with EU organizations.
If you are outside the EU, you need at least to do the following:
- Inventory all data (plus processing);
- Conduct a DP impact assessment;
- Encrypt personal data(P2) data;
- Adjust privacy policies;
- Adjust data collection processes;
- Adjust data handling procedures;
- Develop a data breach notification processes;
- Ensure API’s/portals/mechanisms are in place so that users and non-users can provide consent;
- Ensure EU citizen data (PII) can be migrated and removed.
How does the GDPR impact IT and Cloud services?
Many organization forgets how the data they collect nowadays is not located within their organization. For example:
- Microsoft Office 365 in the cloud;
- Amazon VPS servers;
- 3rd party like buttons;
- Google Analytics/AdSense;
- Dropbox, OneDrive;
- Salesforce CRM;
- Wordpress website;
- Drop shipping API.
Ask yourself where the data is located and what this means when putting on your GDPR sunglasses?
Most of those online PaaS, IaaS, SaaS, and marketing solutions providers already have been working hard to ensure compliance but still, you as a customer of them need to make sure you get all the documents from those providers to ensure and proof you are compliant.
GDPR will definitely enhance EU citizen privacy, but the fines for violations are not that awesome. Make sure your IT systems and business processes are ready. Maybe the first year, they won’t target small companies. First of all many government agencies are not ready yet and then the large corporates will be targeted next but sooner or later your company will also be audited or an EU citizen will send in a request what will force you to deliver. Get prepared. And for those with working with data of Chinese citizen, you might also have a look into the China Cyber Security that also already is applicable!
Looking for GDPR documents, templates and checklists?
At AllBusinessTemplates.com a complete GDPR compliance KIT with 38 of the most important documents is available. This includes:
- Detailed guidance documents;
- GDPR projects documents and Gantt;
- GDPR privacy policies and notices;
- Data Protection Impact Assessment Documents;
- Data Subject Request Forms (including deletion form);
- Readiness Assesment Checklist;
- Data Transfer Contract;
- Processing Agreement;
- Data Retention Policy Document;
- Data Audit Template;
- And many more.
Each of the necessary GDPR documents is included, supporting you to get your organization up and running for GDPR with speed.