It is difficult to overestimate the importance of data protection nowadays. In May 2018 new general data protection rules will come into force in Europe. These rules are assigned by General Data Protection Regulation (GDPR) from April 27, 2016. Having replaced the Directive 94/46/EC on personal data protection from October 24, 1995, these rules became legitimate in 28 EU countries. All companies that provide services to European market should take all new rules into account to compete ethically.
Let's check out main new rules of personal data processing in EU and how business owners working with EU should react to new GDPR.
Main 6 data processing principles in GDPR
First, let's determine shortly what is GDPR. It has two main doctrines as follows:
- EU citizens can control their data in a more efficient way;
- Unification of data protection rules across all European Union;
- More proper personal data protection.
What is personal data? Let's define it as follows:
- Identification information like addresses, name, surname, number of passport etc.;
- Web data: IP address, cookies etc.;
- Health documentation;
- Biometric data;
- Racial and ethnic data;
- Religious and personal beliefs.
GDPR requires high-quality protection of personal information
See why Big Data can help you develop your business. Read How Big Data sources contribute to big progress in your business
And GDPR regulation includes six basic principles of data processing in it's basis:
Transparency and legitimacy
Personal information should be processed in a legal and fair way. Any information concerning the purpose, methods, and volumes of personal data processing should be easily accessible.
All data should be collected and used only for purposes that were declared by the company.
You have no right to collect more data than you need to process.
Inaccurate personal data should be deleted or fixed (on user's demand).
Limitation of storage term
Personal data should be stored only during the period necessary for purposes processing.
When processing users' data, companies must protect personal data from unauthorized or illegal processing and damage according to GDPR security rules.
6 principles how data is processed in GDPR
Now let's delve into GDPR meaning and what it is important.
What business types will be affected by GDPR
What is GDPR compliance in general? It is necessary to note that compliance with GDPR is required for all business owners that use and process personal data of EU citizens. Moreover, even if a company is located not in EU but it handles personal data of EU residents, it should follow GDPR as well. Full information about GDPR rules you can find on the official website.
But there are a few types of business that should be prepared to new regulations in the first turn, I will list them below.
E-commerce organizations like online stores process personal data of their users every day, and GDPR is what they should comply with first.
Online game providers
This field also comes under the GDPR effect since the majority of online games require from users their personal data. Moreover, when GDPR comes into force (note: GDPR implementation date is 25 May of this year), rules for getting consent will become stricter, it concerns specifically children consent. Depending on an EU country, the age of the child may vary from 13 to 16. That is why all online game providers should add more thorough verification of identity and explicit consent from the user to make sure that this individual's age is higher than 13 or 16. Children are not aware of risks, consequences, guarantees and their rights for personal data processing. Their parents or legal representatives can authorize consent to child's data processing in case if they permit their children to play online games.
Enterprises that work with personal payment data of users, their banking details, credit card numbers are obliged to follow new data protection directive.
If you own a medical app or a website that work healthcare records of many people, or you intend to order a medical app development, then GDPR applies to your business as well.
It concerns Internet Service Providers first since they store all personal information of users, and they will need to guarantee that this information is stored only by consent from users.
What types of business should comply with GDPR first
Learn how e-commerce mobile app can promote your business. Read How to enlarge the scope of your influence with the e-commerce mobile app
That is the answer to the question who is affected by GDPR. So, if you are engaged in one of the business type mentioned above, you should get all information prepared to avoid penalties and violations. Next section will spell out how to prepare your business to make it compliant with GDPR.
Steps you should undertake to get your business prepared
How to prepare to GDPR? The core of GDPR lies in privacy by design term. This term means confidentiality in information technology and large-scale network data systems. And there are main steps you should take to start the compliance of your business with EU data protection directive.
Prepare your business following step-by-step guide
#1. Outline the route of all personal data and related risks
You should create a scheme where you will indicate the scope of the personal data you work with, what you do with this data, how you use it, where it comes from and where it goes. So, the full information about the route of personal data you work with should be displayed in your document. Also, you should indicate data location, who has access to it and whether there are any risks related to personal data storage.
#2. Choose the data you should keep
Complying with the General Data Protection Regulation, you should remember that you need to keep a necessary information only. If there is an outdated information, you should delete it. Also, if you find data that doesn't bear any benefits, you need to delete it as well. GDPR principle requires more proper handling of personal data. That is why when you start sorting out all data, determine what necessity that or another piece of data bears.
#3. Keep security in mind
Of course, you should provide all data with a proper protection to prevent possible data breaches. Your infrastructure should have modern data protection technologies to keep all data safe. Also, elaborate possible measure you should take in case of a data breach. Don't forget to comply all security issues with your suppliers if you are engaged in outsourcing.
#4. Look through the documentation
According to GDPR EU data directive, personal data of all your customers can be processed by you only when all customers confirm the right to use their data. Implied consent is not an option anymore. So, take all important documents like agreements and statements, analyze them and adjust them according to GDPR rules to provide users with information security and privacy.
#5. Determine steps for handling personal data
To make it possible, you should consider that according to GDPR an individual has 8 rights for:
Individuals can forbid to use their data for direct marketing if they consider it necessary.
According to information privacy principles of GDPR, in case of a personal data breach, the customer should be notified about this incident within 72 hours from the first confirmation of data breach case.
In this case, an individual can claim that their data shouldn't be processed, but it shouldn't be deleted.
Personal information correction
If there are some inconsistencies in personal information in individual or it is outdated, individual can request to correct the information;
If your customers dissolve an agreement with you and they are not your customers already, you should delete their data immediately;
Handing over the data
Customers can request to hand over their data to a new service provider if they want it.
Access to their data
All your customers have the right to find out how their data is used and get access to it upon request. You are obliged to provide them with all necessary information.
An individual should be informed before his or her data will be collected and get their explicit consent.
These are all rights you should follow, and it is necessary to prepare relevant policies and take measures to solve any issues mentioned above if they arise. And you should determine how you will provide all customers with the access to their data, how to delete all information properly and so on.
#6. Appoint a responsible person for personal data protection
Importance of data protection is hard to overestimate. It is related to all companies that perform regular wide-scale surveys, monitoring of individual (as it was mentioned above) or companies that process special personal data like medical records (EHR systems) or criminal records. The appointed person position will be called a Data Protection Officer (DPO).
How non-compliance with GDPR will affect your business
GDPR compliance for small business and the large one is highly important since If you violate GDPR rules, you will be fined up to 4% of annual turnover or 20 million EUR, depending on which amount is higher.
Therefore, you cannot ignore new regulation if you plan to develop your business and expand your customer database.
As you can see, to meet GDPR requirements, it is necessary to create internal policies of data protection, train staff, verify processing data activity, maintain documentation concerning processing procedures, and appoint a manager who will be responsible for personal data processing.
Why can blockchain technology be beneficial for your business? Watch our video to find out it:
Blockchain Solutions for Business: Advantages and Challenges
And don't forget - It doesn't matter what type of business you own if you process personal data of EU citizens. You should make your business comply with GDPR without any barriers.
Why GDPR is a good option
These rules may seem too complicated and strict, but, in fact, there are some obvious benefits of GDPR compliance:
- It is much easier to follow one set of rules than considering national particularities of personal data processing of each separate EU country;
- The reform is oriented to the development of economic growth with the help of expenses and bureaucracy reduction for companies collaborating with EU. So, GDPR impact on business can be really positive;
- Also, according to new rules, some liabilities can be changed due to the size of the business, the nature of data processed and other factors;
- It will increase customers' trust to your business if they know that their data is secured reliably.
So, GDPR is an important legislative document that increases the level of personal data protection in EU and outside. Each company should study it in detail. Cleveroad did it as well as we cooperate with customers from Europe.
Delve into outsourcing process and how to do it wisely. Read Outsourcing guide for customers: the details of cooperation process
Also, this document increases the trust of consumers, and business field can use all capabilities in a single European market. So watch all data you process carefully to prevent data leakage and illegal control of this data by third parties. If you have any questions, you plan to create your software or you concern about the privacy of your software - contact us and subscribe to our blog not to the miss important news!
General Data Protection Regulation (GDPR) are data protection rules that came into force in Europe (28 EU countries).
GDPR has two main doctrines:
- EU citizens can control their data more efficiently;
- Unification of data protection rules across all European Union;
- More proper personal data protection.
All companies that provide services to the European market should take all new rules into account to compete ethically.
Here are the main steps:
- Outline the route of all personal data and related risks
- Choose the data you should keep (necessary information only!)
- Provide all data with proper protection
- Make sure the customers can confirm the right to use their data
- Determine steps for handling personal data
- Appoint a Data Protection Officer (DPO)
GDPR regulation includes six basic principles of data processing:
- Personal information should be processed legally and fairly.
- All data should be collected and used only for purposes that were declared by the company
- You have no right to collect more data than you need to process (per person's request)
- Inaccurate personal data should be deleted or fixed
- Personal data should be stored only during the period necessary for purposes processing
- When processing users' data, companies must protect personal data from unauthorized or illegal processing and damage
You can't simply ignore the regulations if you provide services to the EU market.
Companies that violate GDPR rules will be fined up to 4% of annual turnover or 20 million EUR, depending on which amount is higher.
Leave a comment