The General Data Protection Regulation is an EU data protection law, effective from the 25th of May 2018, that by replacing the 1995 Data Protection Directive brings in new rights for individuals and new responsibilities for organizations processing personal information. This set of rules are valid in 28 EU countries and are also applied to organizations processing personal data outside of the EU if EU data subjects are included.
The main principles of GDPR are that they provide guidelines for EU citizens to control their data more efficiently with more personal data protection and rules that are unified across all the European Union.
Personal data is any kind of data that is or can be assigned to a person in any kind of way, such as:
-Identification information: name, surname, address, passport number…
– Web data: IP address, cookies…
– Healthcare documentation
– Biometric data
– Racial and ethnic data
– Religious and personal beliefs
The 6 main data processing principles according to GDPR are:
TRANSPARENCY AND LEGITIMACY- All personal data should be processed in a lawful and fair manner. All information regarding the purpose, methods, and scope of data processing should be easily accessible.
LIMITATION BY PURPOSE- All data should be collected and used solely for the purposes that were previously declared by the company.
DATA MINIMIZATION- Only data needed for processing with previous consent can be collected.
ACCURACY- Only accurate and valid data can be used. Any inaccurate personal information should be deleted or corrected depending on the user’s demand.
LIMITATION OF STORAGE TERM- All personal information should be stored during the period of processing only.
CONFIDENTIALITY- Personal data should be protected by the companies processing users’ data from unauthorized and illegal processing and damage according to GDPR security rules.
Business types that are affected by GDPR
GDPR rules apply to any company that uses and processes the personal information of EU citizens, regardless of the location of the company.
Some of the businesses that need to comply with the GDPR regulations necessarily are listed below:
- E-commerce– firstly online stores that process personal data of their users on an everyday basis
- Online game providers– the majority of online games require personal information from their users. Since a large percent of online game users are underaged, children, the rules for getting consent for personal data use are going to get stricter (starting May 25th this year) requiring an additional parent/legal guardian verification in order to protect their personal data (the age limit that requires an additional verification step will vary from country to country but will be between 13-16 years of age)
- Financial institutions– enterprises that handle banking details and credit card information of their customers
- Healthcare organizations– any medical app or website that processes healthcare records of people, including medical app development companies
- Telecom services– firstly concerning Internet Service Providers since they store all personal information of their users, guarantee will be needed that this information is stored with users’ consent only
There are some crucial steps one should undertake to get a business prepared to avoid penalties and violations. Here are some useful tips on how to make your business compliant with the EU data protection directive:
- Outline the route of all personal data and related risks
It is desirable to create a scheme indicating the scope of personal information, where it comes from and where it goes, what is done with it, and how it’s used. Full information about the route and destination of personal data should be transparently displayed in a company’s document, including its location, who has access to it, and any personal data storage-related risks.
- Choose the data you’re keeping
In compliance with GDPR, only necessary personal information should be kept. Any outdated or incorrect information should be deleted. Prioritize data and handle it properly.
- Security is important
All data should be provided with proper protection in order to prevent possible data breaches. Modern data protection technologies in the company’s infrastructure are highly recommended to keep all data safe. Also, possible measures taken in case of a data breach should be in place. If engaged in outsourcing, comply all security issues with suppliers.
- Go through the documents
According to the GDPR EU directive, personal data of the customers/users can be processed by the one whom the consent has been given, implied consent is not an option anymore. Company owners are advised to go through their documents, such as agreements and statements, analyze them and adjust accordingly to provide their users with valid security and privacy information.
- Determine personal data handling steps
According to the GDPR, one has the following rights regarding their personal information
PARTIAL RESTRICTIONS- The right to prohibit the direct marketing use of their information if they wish so
THE RIGHT OF BEING INFORMED- In case of a personal data breach, the customer should be notified within 72h
PROCESSING PROHIBITION- If claimed, the customer’s data should not be processed, but should not necessarily be deleted either
CORRECTION OF PERSONAL INFORMATION- In case of inconsistencies or outdated information, the customer has the right to request their correction
DELETION OF INFORMATION- If the customer chooses to dissolve an agreement their data should be immediately deleted
DATA HANDOVER- On customer’s request data should be handed over to a new service provider
DATA ACCESS- Every customer has the right to know how their data is used and should be granted access to that data if requested. All necessary information should be provided
INFORMATION- One should be informed upon data collection and give explicit consent for the company to use the provided information
- Assign a DPO (Data Protection Officer)
Regarding the importance of data protection, companies that perform regular wide-scale surveys, process special personal data (medical records, criminal records…) should have a person/people handling the protection of the provided personal information.
CONSEQUENCES OF NON-COMPLIANCE WITH THE GDPR
The fine for GDPR rules violation is up to 4% of annual turnover or 20 million EUR, depending on which amount is higher.
In order to meet GDPR requirements, it is important to create internal company policies of data protection, verify data activity processing, maintain and keep documentation up to date concerning processing procedures, train staff and appoint a manager who will be responsible for personal data collection, processing, and storage safety.
Regardless of the type of business, a company is dealing with, as well as the location of the company, if personal information of EU citizens is used in any matter, GDPR regulations apply and should be complied with.
Additionally, some of the benefits of complying with the GDPR:
- It is a uniform set of rules applying to all EU countries
- It is oriented to empower and enable economic growth with the help of expense and bureaucracy reduction for companies collaborating with the EU
- There are some options for liability changes due to the variety of business size, the nature of data used and some other factors taken into account
- Customer’s trust is increased if known that their personal information is reliably secured
Finally, GDPR is a highly important legislative document that increases the level of personal data protection across the EU and beyond. Complying to it leads to a higher level of customer trust and also may open some doors to EU cooperation for non-EU companies. Carefully select, manage and process the provided data, store it properly and look out for leakage!
Coreware can help you with all your GDPR questions and requirements. Feel free to fill out our contact form and reach out!