General Data Protection Regulation
General Data Protection Regulation – What is it?
You might have noticed that every website has been updating their privacy policy these days. This is because of the General Data Protection Regulation (GDPR). As of May 25, 2018, the GDPR “regulates the processing by an individual, a company or organization of personal data relating to individuals in the EU.” This means that if your company or organization’s website can be accessed by someone in the EU and you collect user data, you must follow these new regulations.
What kind of user data? It covers any type of data, from basic identity information (like name or address) to more complicated data (like biometric or genetic).
What companies are affected by the GDPR?
- Companies in the EU
- Any company outside the EU that process data of EU citizens
- Companies with over 250 employees
- Any company with less than 250 employees, but data-processing is not occasional, or includes personal data
As you can see, this effectively means that every company has to comply with the GDPR.
One of the major issues of the GDPR is the request for consent when collecting private data. Just like if you want to send email communications to someone here in Canada, you need the expressed consent of the individual to do so thanks to CASL. Similarly, the GDPR requires that websites now ask for your consent to collect personal information and this request must also be easy to understand and easily accessed.
The GDPR sets out a number of new terms and requirements for businesses and organizations have to follow. For example, a data protection officer must be appointed and required to keep internal records to verify that the regulations are followed. Any data breaches must be reported within 72 hours. For more information, check out the General Data Protection Regulation website.
Today, most websites have updated their policies to reflect the GDPR. Companies like Facebook, Google and Apple all have updated their policies to allow people to check out the information these websites collect.
What Steps Should My Company Take?
- Set up a GDPR team – involving all groups that collect, analyze or use customer’s data
- Assess the Risks – figure out what data is stored and how
- Hire a data protection officer – can be internal or an external hire
- Create a data-protection plan – update your current policies to match GDPR
- Track who has what data when – keep in mind applications that use data
- Track your progress
- Set up an ongoing assessment plan
Although complying to the GDPR seems tedious, it will go a long way to help companies and organizations ensure customer data is protected. With data breaches becoming the norm for big businesses, the GDPR should help increase customer trust in companies who collect, analyze or otherwise use customer data.
Jesse Bickerton, RAVEN5, July 2018
Sources
http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://www.eugdpr.org/the-regulation.html
https://gdpr-info.eu/key-issues/
https://www.theguardian.com/technology/2018/may/21/what-is-gdpr-and-how-will-it-affect-you
https://www.itproportal.com/features/the-negative-impacts-of-gdpr/