The GDPR Regulation is Here – What Does It Mean for Businesses?
Written by Gayathri Venkatesh
After nearly three years of discussion, in April 2016, the EU agreed to adopt the General Data Protection Regulation (GDPR) framework. This regulation is to replace an existing Data Protection Directive (with effect from 1995) and will bring in provisions to protect the personal data and privacy of EU citizens, who transact with businesses within or outside the EU. The reason for GDPR’s existence was due to the previous directive being outdated and the ever growing concerns about personal data safety in today’s world.
GDPR applies to all organizations that transact with member states of the EU and will have to be compliant by 25th May 2018. This means that organizations now will have to not only ensure that personal data is gathered under strict conditions but will have to protect it from misuse/exploitation or face severe penalties.
A data processor, data controller and data protection officer (DPO) are roles to ensure GDPR compliance in an organization. Data controller is responsible for how personal data can be processed and the purpose for which it will be processed. Data processor is responsible for maintaining and processing personal data (GDPR will hold the processor responsible if any breach/non-compliance takes place). Ideally, the controller and the processor should appoint a DPO to overlook GDPR compliance and data security strategies. The DPO is also appointed if the organization carries out processing of data such as behavioral tracking or is a public authority.
Implications of Non-Compliance
Companies who don’t comply with the GDPR regulations will be heavily fined with up to 4% of their annual global revenue or 20 million Euros, whichever is greater.
What is GDPR for EU Citizens/Customers?
Customers are to be explained in a clear and understandable way as part of their ‘right to be informed’ before the data is gathered and how that data will be used and processed. In case the customer does not want his information to be processed, the option to opt out from processing the customer’s data is available. This falls under the customer’s ‘right to restrict processing’. It is for this reason that many marketing and retail companies reach out to customers asking if their data can be processed and still be part of the company’s database. The GDPR also goes one more step ahead giving the citizens the option to choose the ‘right to be forgotten’ process, providing additional rights and freedom to people who want their personal data deleted from any company’s database.
Listed below, citizens also have the following other rights under GDPR:
- Right to access: Provides users the right to access their personal data on company’s database and check how their information is being used and processed.
- Right to have information corrected: This ensures that individuals can have their data updated if it is out of date, incomplete or incorrect.
- Right to be notified: In the event of a data breach, customers have the right to be informed within 72 hours when the company becomes aware of the incident.
As a Business – What Needs to Be Done?
All existing contracts with third-party processors and customers will have to detail the responsibilities and re-define the process of how data is managed, protected, and how breaches will be reported. It is essential that organizations map where all the data comes from, where it resides and ensure that access is restricted to only appropriate authorities.
Determine which data is required and ensure to do a clean-up so that only necessary data which the company can process is available. Start applying security measures in the infrastructure to help contain any data breach (even if a breach occurs, notifying customers on time will have to be followed adequately). This also extends to a service that has been outsourced by your company, which means ensuring that security measures are inculcated by the outsourced company as well. Review all privacy statements and disclosures and adjust wherever required.
Overall, companies that were earlier using consumer data for analytics, marketing or other purposes will have to revamp their policy to align with the GDPR regulations. In case a customer opts to not have their data used for processing, then companies will have to oblige. (By companies, it is not just companies established in the EU, any company that transacts with EU citizens will have to comply with the GDPR rules). Avoid paying heavy fines or facing operational risk by not being compliant with the new regulations by 25th May 2018.
For monitoring similar laws and regulations, and receiving latest insights in such areas, subscribe to Supply WisdomTM Alerts. Take a free trial to see how we can help you stay up-to-date on latest trends and be more proactive about monitoring and managing risks across your global locations and suppliers.