GDPR Compliance Deadline: How to Be Compliant in Simple English

Just think about what made companies like Google, LinkedIn, Twitter and the like change their terms and privacy policies one after the other. You must have noticed the notifications by now.

Yeah, Facebook is already in the limelight for user data discrepancies. But look at what’s happening to all the cookie policies. Companies are updating their terms quickly.

What’s triggering this frenzy? Of course, this is happening because of one law that has managed to stir the business world – G.D.P.R.

The European Union’s GDPR law takes effect from May 25, 2018. This has been in the news since its inception and adoption by the EU Parliament in April 2016.

The Law will affect businesses that manage a large amount of data. This applies to all EU citizens’ data, irrespective of their location.

What is GDPR and why is it being rolled out?

In simple terms, as someone who resides in the EU, my data is being protected because of GDPR. 

GDPR stands for General Data Protection Regulation. It replaces the old and obsolete 1995 Data Protection Directive. GDPR is more relevant today as a lot has changed over a period of two decades.

Rapid technological advancements and data processing/usage by businesses has led to realize the need for a law like GDPR.

This new regulation is being brought into effect to give personal data control back to EU citizens. It is put into action to control a business’ ability to exploit public’s personal data. GDPR is rolled out to give the citizens their digital rights. 

This law does not require national governments to pass any sanctioning legislation. This means that it is naturally applicable to any person, organization or business that deals with EU citizen’s data.

This law applies to your business irrespective of your company operating on a business to business level or business to consumer level. 

How will GDPR affect your business?

About the effect the GDPR wave has had, there is both good and bad news. Let’s see why.

Some small business owners are panicking and complaining about the sudden work overload. Russel Xiam, owner of a product support company says that there is so much to do to migrate to GDPR compliant software platforms.

Planning for GDPR is equivalent to revisiting your business choices. –  Russel Xiam

This implies that small businesses are the most affected.

John Higham, owner of Azybao, a project management company said that people are refusing to do business with European companies because they are afraid that they’ll be caught in the jam.

Isabelle Trijt, an HR officer from Germany says –

I had to modify/change/scrap the new hire and employee onboarding policies so that we stay inside of the GDPR compliant circle. I also had to take up the responsibility to delete all the old records containing data of the past interviewees.

To add to this, a business owner in Brussels migrated to MailChimp from Convertkit because Convertkit wasn’t giving a checkbox option that lets the user “choose” the data. This implies that business owners are abandoning email service providers that do not give more control to the user, although Convertkit has updated their functioning as of today. 

This makes sense because you, as a business, shouldn’t be put in jeopardy due to the rules your email service provider did not follow. After all, the email responder may have policies that do not hold themselves accountable for any loss caused to your business, right?

Although it is rare that such a scenario arises, you will still be held accountable for not conforming to the laws as it is your email list.

On the other hand, Sidney Burks, the CTO and Co-Founder of Ivizone from France says,

The new policies haven’t had a huge effect on our business. This could largely be due to the fact that French law already had quite stringent requirements around data protection and privacy. GDPR did force us to take data privacy into the core of our products, and think of it from the ground up, however as we are developing a new release for our product, we were able to do this in a clean and efficient manner.

Sidney also adds that GDPR has forced the businesses to get their data houses in order. They have now added additional policies to delete stale and unnecessary data and reinforced their internal security policies around data storage and access. This means that they provide a higher level of data security to their clients.

So, if your business or organization handles and processes user data, you should be concerned about your user data security. You are obligated to be GDPR compliant in this case. If your business does not comply with the GDPR law, you may face heavy penalties. 

The highest penalty for the severest deviation will cost you 4% of your global turnover or 20 Million Euros, whichever is higher (more about penalties in later sections).

The GDPR Law applies to ____?

There is a huge confusion about who the law applies to. There are few sources that talk about EU citizens and there are others who talk about EU residents.

The confusion arises as people with GDPR rights are referenced as “data subjects”. But who are these data subjects? 

Data subjects, who are they?

Does the GDPR apply to all EU citizens’ data?

Or does it only apply to people who reside in the EU? 

Data subject are defined as a natural person whose personal data is processed by a controller or processor. The controller or processor could be a business or an entity employed by the business that specifies the data processing funnel. 

The term “data subjects” doesn’t have a specific definition. In fact, it is a connotation. GDPR requires businesses to protect the privacy and personal information of EU citizens under any transactions that occur within EU member states. According to Cyber Counsel, any person present in the EU member states at a given point becomes a data subject. 

What are the kinds of data that is subject to scrutiny?

The GDPR considers any and all personal data concerning a natural person as a belonging of that person. The kind of data may include:

• Digital Information
• Biometric Data
• Genetic Data
• Encrypted Data
• Personal Data

The rights of a data subject:

3. You are also given full power and authority to change your personal data or withdraw your data at any given point. This is the main reason why businesses should provide checkbox options (discussed in the above section) to give the user more freedom and power to get their consent.

4. A data subject can also object processing of any/or all of his/her data if s/he thinks that the data being processed is inaccurate or incorrect.

5. A data subject can also object to or resist the transferring of their data from one service provider to another. In addition to this, as a data subject, you can also request to delete your data from the records. But this right may not be earned by the data subject if the data being processed is for legal purposes, public health purposes, research purposes etc.

In short, it applies to all EU residents irrespective of the location of the business, organization or their citizenship. And, breaching the rights of the data subjects attracts heavy penalties. 

What are the factors that determine a penalty?

Please note that none of the above factors guarantee a specified penalty because the determination of fine is completely within the EU laws’ discretion.

For more information, refer to the core principles that lead to the GDPR Law enforcement here. 

Appointing a Data Protection Officer (DPO)

The data being processed in your business may have to undergo monitoring. If you need help in organizing your business to comply with GDPR, the EU body advises to seek expert consultation.

Each of the EU Member States may nominate one or more independent public authorities to help monitor the data laws’ compliance.

According to GDPR, Data Protection Officers should be appointed if your business operates at the following levels:

1. Organizations that act as public authorities

2. Companies that deal with large-scale data aggregation and monitoring

3. Companies that deal with large-scale processing of crucial personal information

5 Myths about GDPR

2. Small business owners need not worry about GDPR – A business small or big: if it handles user data, it should be GDPR compliant.

3. User consent is not mandatory if the user is choosing to enter their personal information during subscription – Explicit consent from the user in the form of a checkbox is mandatory from May 25, 2018.

4. If you are not doing business inside the EU, you shouldn’t be concerned – If you are a business dealing with EU citizen’s data, irrespective of the citizens’ location, GDPR applies.

5. User data is only the data provided by users – Any data collected, generated, modified, morphed or acquired in the form of cookies, user behavior is still user data.

Conclusion

If you are a business with a website that collects personal information of data subjects, you are now obliged to implement legally compliant ways to acquire user information. For example, if you have a pop-up or subscription form on your website, the only way to ensure you are getting the consent of the user is by:

• Implementing the double opt-in method that pools in only interested members with consent.
• Giving the user the options to choose to regulate his/her data.
• Giving the user the option to unsubscribe.
• Ensuring all the third party services you use are GDPR compliant.
• Keeping your data acquiring procedures in check.
• Communicating your privacy policies in a transparent manner.
• Designating a Data Protection Officer or educating and train your business to avoid the data breach.
• Ensuring regular data audits and accessibility.
• Minimizing the data you hold and process.

Disclaimer: The information above is solely for reference and informational purposes. It does not stand as legal advice. Please seek legal counsel for any further advice.