What is GDPR and its requirements?

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occurs for EU member states. And non-compliance could cost companies dearly. The General Data Protection Regulation (GDPR) is a legal framework to set the guidelines for the collection and processing of personal information of individuals within the European Union (EU).

Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules in order to protect customer data. GDPR is setting new standards for customer rights regarding their data. GDPR will significantly strengthen a number of rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having launched separate actions in each jurisdiction; and their enforcement actions

GDPR affects every company, but the hardest hit will be those that hold and process large amounts of consumer data: technology firms, marketers, and the data brokers who connect them. The GDPR was adopted in April 2016 and added to the EU’s general policy of protecting citizen’s data. In addition to the notifications of collection and legal ramifications for misuse, there is also a requirement to obtain explicit consent, notify in cases of a hack or breach, and much more.

There are many essential items in the regulation, including increased fines, breach notifications, and responsibility for data transfer outside the European union. As a result, there is a impact on businesses which is very huge and will permanently change the way customer data is collected, stored, and used.

The provisions are consistent across all 28 EU member states, which means that companies have just one standard that meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet the requirements and to administer.

An alarming statistic for companies that deal with consumer data is the 62 percent of the respondents to the RSA report who say they would blame the company for their lost data in the event of a breach and not the hacker. Lack of trust how companies treat their personal information has led some consumers to take their own countermeasures for the same.

What are the new requirements?

Privacy by Design – Privacy by Design has always played a part in EU data regulations. Its principles of minimizing data collection and retention and gaining consent from consumers are more explicitly formalized.

Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies have to analyse the risk of the privacy policy.

Right to Erasure and To Be Forgotten – There’s been a long-standing requirement in the DPD allowing consumers to request that their data could be deleted.

Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds.

Overall, the message for companies that fall under the GDPR is that awareness of your data—where is sensitive data stored, who’s accessing it, and who should be accessing it—will now become even more critical.

Before GDPR was enforced, the previous data protection rules across the Europe was first created in the 1990s and had struggled to keep pace with massive technological changes.

Companies covered by the GDPR are accountable for their handling of people’s personal information. This can include data protection policies, data protection impact assessments and having relevant documents on how data is being processed.

In recent years, there have been a score of massive data breaches, including millions of Yahoo, LinkedIn, and Myspace account details.

For companies that have more than 250 employees, there is a need to have proper documentation of why people’s information is being collected and processed. Descriptions of the information that is being held, how long it has been kept for and descriptions of technical security measures in place.

How does the GDPR affect third-party and customer contracts?

The GDPR places equal liabilities on data controllers (the organization that owns the data) and data processors (outside organizations that help to manage that data). A third-party processor is not in compliance means your organization is not in compliance.

The Global Data Protection Regulation (“GDPR”) goes a long way in ensuring protection and privacy of the user data, but what about third parties, vendors, and other stakeholders? The GDPR clearly states that all businesses and their partners are responsible for protection of user data. Third parties are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for the consumers.

Long term impact of GDPR

1.Focus on the intended outcome of legislation

There should be more emphasis on the intended outcome of the legislation: to put citizens first and give people more control over data about them.

2.Most users are groups of people, not individuals

Most services assume that their users are individuals, when often they are groups of people. The services will support things like easier switching, better rates on financial products, or making it easier to manage multiple accounts.

3.Building ethical practices and better services

At ODI, we are helping organisations build ethical practices into their day-to-day activities, to engage with people and civil society about potential uses of data, and to spread the benefits that arise from using data equitably and fairly.

While the immediate focus of GDPR is necessarily on creating adequate data protection and compliance, we would encourage organisations both in the public and private sectors to look further to the future.

The GDPR might also change the mind set of business and security teams toward data. Most companies see their data and the processes they use to mind it as an asset, but that perception will change. GDPR applies only to the EU, but given the scale of the market, many companies are deciding it’s easier – not to mention a public relation to apply its terms globally. All organizations, from small businesses to large enterprises, must be aware of all GDPR requirements and be prepared to comply with them in order to come forward in position.