The General Data Protection Regulation (GDPR) has been in the works since around 2012 to make the European Union (EU) "fit" for the digital age. It is designed to strengthen the data rights of EU residents and unifies data protection law across all member states, making it identical.
Who is covered?
All companies are affected by GDPR, but the ones that hold and process large amounts of consumer data will be affected the most, e.g., technology companies, marketing agencies, and the data brokers who connect them.
Companies that may not have previously had tools for collating all the data they hold on an individual can find it difficult to comply with even the basic requirements for data access.
The largest impact will, however, be on firms whose business models rely on acquiring consumer data on large scale. Companies that rely on consent to process data now have to request for explicit and informed consent. The potential fines organisations face for misusing data is increased under GDPR, and people can now easily discover the information that organisations have on them. GDPR basically seeks to bring more transparency to people regarding the data organisations collect about them, and what the data is being used for by those organisations, thus preventing unnecessary data collection.
What does GDPR refer to as personal data?
Under GDPR, the EU has substantially expanded the definition of personal data. Online identifiers such as IP addresses, in addition to other data, such as economic, cultural, or mental health information, are personal data. Further, anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
Moreover, people now have the right to access any data a company holds on them and to know why the data is being used or stored. People can also ask for their data to be revised or rectified if incorrect or incomplete.
What does GDPR mean for businesses?
Through GDPR, the EU has established one law across the continent, which applies to all companies doing business within the EU member states. This means that the reach of the legislation extends beyond the borders of Europe to international organisations collecting, storing or using data of citizens within the EU.
The regulation is intended to guarantee data protection safeguards for product and service use by providing 'data protection by design' in new products and technologies.
Organisations will also be encouraged to adopt techniques such as 'pseudonymization' in order to benefit from collecting and analyzing personal data, while also protecting the privacy of their customers.
Are you ready for GPDR?
Here are few steps to take to ensure that you're prepared for GDPR:
- Understand the types of data your business handles
- Develop a consent policy when collecting user data
- Update your security policies to ensure they are GDPR compliant
- Prepare for data access requests and fair processing requests
If you take the effort to prove to your potential and existing customers that your organization is GDPR compliant, you will not only prevent costly mistakes, but also demonstrate your respect for customers' personal data and privacy.