The General Data Protection Regulation (GRPR) is a new law on data protection and privacy for individuals in the European Union.
This policy has every organization that has an online presence sending emails about privacy. (I’m sure your box is filled with such emails).
GDPR aims to ensure that every organization uses the “data protection by design and by default” approach for all data collection processes. Privacy settings and security for data collection processes must be set to the highest-possible by default in order to ensure that all personal/private data is secure and unavailable publicly unless the user chooses to share such information by changing the settings. Personal data must be processed under certain conditions specified by GDPR.
Any business, that needs to collect data, is required to clearly state the type of data needed, process and reason for collection, duration of data retention, and whether data will be shared with third party or not. Users can request for copies of data collected at any time and can also request for the erasure of the data. Data breach must be reported within 72 hours.
Compliance with GDPR is like a badge of “trust”. Consumers will feel safer and more confidently release their private data when they know that your organization complies with GDPR.
Some of the things required for an organization to be compliant are:
- Data protection by design and default. Data collection processes must be developed with the highest level of data protection. Users can however decide to lower their level of data protection by choice.
- Users must be aware of the type of data collected, reason for collection, duration of data retention, and whether data will be shared with third party or not.
- Data collection process. Collection process must be clearly stated. The list of locations where data is stored and how data flows between them must also be stated.
- Data security. Data processing must be secure and not interceptable by a third party.
- Users must be notified within 72 hours if there is a data breach.
- Data Protection Officer (DPO). Data protection officer must be appointed. The DPO will be responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements
- Ease of access. Customers should be able to access, update their data. They can also request that their data be delivered to them in a portable format.
- Erasure of data. Customers can ask that their data be erased. They can also ask that you stop processing their data subsequently.
Every data processing organization is expected to fully comply with GDPR by May 25. However, being compliant is not an easy task. It requires a lot of processes and it will be a challenge for companies that always operated with the “let’s collect all the data we can” approach.
According to The Verge, Very few companies are going to be 100 percent compliant on May 25.
The main reason most companies will not be ready is the data subject access request. EU residents have the right to request access to review personal information gathered by companies. Those users — called “data subjects” in GDPR parlance — can ask for their information to be deleted, to be corrected if it’s incorrect, and even get delivered to them in a portable form. But that data might be on five different servers and in god knows how many formats. (This is assuming the company even knows that the data exists in the first place.) A big part of becoming GDPR compliant is setting up internal infrastructures so that these requests can be responded to, according to The Verge.
You can read all about GDPR here.