Although this has been recent news, it may get more attention over the next few weeks. What is GDPR and how does it affect me?
Here are a few things you need to know before the deadline on the 25th of May.
Understanding the GDPR
What does GDPR stand for? – General Data Protection Regulation is legislation which comes in to play (across Europe) to help put an individual’s personal data back in their hands.
Businesses and organisations need to be transparent on how they handle a person’s private data.
Every organisation is treated the same and can face the same consequences if they are found to be in breach of the GDPR guidelines.
Look at How You Handle Personal Data
As this legislation is geared towards businesses, they must ensure all of their practices are in-line with the GDPR guidelines. Two of the most important being:
- Only collect personal data when you need it, and it is relevant
- Only store personal detail as long as you need it
One person should be ultimately responsible for handling data protection. For this, they should receive a full briefing of their obligations and have the correct training. Positions of people who can perform this can be:
- Data protection officer (if one needs to be appointed)
- Privacy counsel
- Chief data officer
Secure Data Storage Systems
Any personal data which is held must be in a secured location. A prime example of how not to store it would be unsecured on a USB drive. If there is any data breach in your organisation GDPR fines can be substantial.
To make sure the data is safe and kept away from prying eyes it should be encrypted and held in secure locations.
Any data which is located on servers faces the potential to be hacked. To make sure connections are secure, a private VPN can mask your company networks connection. This can go a long way to making sure all communications with your server or network are hidden from sight.
In the case of a data breach, a data breach notification is mandatory and must be issued within 72 hours of an organization learning of the breach.
Caring and Treating Personal Data with Respect
Any business owner should treat individual’s personal data as if it was their own. Although fines can be huge, and will most certainly have a detrimental impact on your business reputation and brand. Following this, there could also be a suspension of being allowed to process data within the EU.
The ultimate result of this could be, any firm in violation may find itself unable to trade.
Any organisations which rely on consent before they perform any data processing using an individual’s personal data must follow the following:
- Consent language must be clear and easy to understand
- A person must act to give consent
- Tick boxes and silence are no longer forms of consent which are valid
Users will come to have the right to request their personal data is erased. With specific exemptions, their data should be deleted.
For a business this is more than the information they are holding, it includes any links to and copies of data which any partner organisations are holding.
Secondary to data deletion if requested, users can ask for a complete download of what personal data a company is holding. This must be in a form which is compiled in a way which is readily transferable while being secure.
This request for data download also reaches to associated parties who might hold copies of data.
Any individual who is concerned about how they might be affected has little reason to worry. This legislation has been put in place for everyone’s protection.
With this legislation in place, there will be many changes in the background of what businesses are able to do. A prime example is the most significant data breach which was heard of in the news.
Companies such as Cambridge Analytica will no longer be in a position to gather user data in the way they did.
Even if this data was passed on from another party, companies of this nature still have an obligation and still need to follow the guidelines in the legislation.
The Facebook scandal might have done everyone a favour as it highlights the need for such legislation.
If something arises again of this nature, the news could be much more significant, as now the penalties will be instantly enforced.
The playing field for privacy has been levelled, and all organisations should know what they need to do to comply.