GDPR Compliance Deadline: How to Be Compliant in Simple English

Roshni Shaikh
Guest Contributor

Just think about what made companies like Google, LinkedIn, Twitter and the like change their terms and privacy policies one after the other. You must have noticed the notifications by now.

Yeah, Facebook is already in the limelight for user data discrepancies. But look at what’s happening to all the cookie policies. Companies are updating their terms quickly.

What’s triggering this frenzy? Of course, this is happening because of one law that has managed to stir the business world – G.D.P.R.

The European Union’s GDPR law takes effect from May 25, 2018. This has been in the news since its inception and adoption by the EU Parliament in April 2016.

The Law will affect businesses that manage a large amount of data. This applies to all EU citizens’ data, irrespective of their location.

What is GDPR and why is it being rolled out?

In simple terms, as someone who resides in the EU, my data is being protected because of GDPR. 

GDPR stands for General Data Protection Regulation. It replaces the old and obsolete 1995 Data Protection Directive. GDPR is more relevant today as a lot has changed over a period of two decades.

Rapid technological advancements and data processing/usage by businesses has led to realize the need for a law like GDPR.

This new regulation is being brought into effect to give personal data control back to EU citizens. It is put into action to control a business’ ability to exploit public’s personal data. GDPR is rolled out to give the citizens their digital rights

This law does not require national governments to pass any sanctioning legislation. This means that it is naturally applicable to any person, organization or business that deals with EU citizen’s data.

This law applies to your business irrespective of your company operating on a business to business level or business to consumer level. 

How will GDPR affect your business?

About the effect the GDPR wave has had, there is both good and bad news. Let’s see why.

Some small business owners are panicking and complaining about the sudden work overload. Russel Xiam, owner of a product support company says that there is so much to do to migrate to GDPR compliant software platforms.

Planning for GDPR is equivalent to revisiting your business choices. –  Russel Xiam

This implies that small businesses are the most affected.

John Higham, owner of Azybao, a project management company said that people are refusing to do business with European companies because they are afraid that they’ll be caught in the jam.

Isabelle Trijt, an HR officer from Germany says –

I had to modify/change/scrap the new hire and employee onboarding policies so that we stay inside of the GDPR compliant circle. I also had to take up the responsibility to delete all the old records containing data of the past interviewees.

To add to this, a business owner in Brussels migrated to MailChimp from Convertkit because Convertkit wasn’t giving a checkbox option that lets the user “choose” the data. This implies that business owners are abandoning email service providers that do not give more control to the user, although Convertkit has updated their functioning as of today. 

This makes sense because you, as a business, shouldn’t be put in jeopardy due to the rules your email service provider did not follow. After all, the email responder may have policies that do not hold themselves accountable for any loss caused to your business, right?

Although it is rare that such a scenario arises, you will still be held accountable for not conforming to the laws as it is your email list.

On the other hand, Sidney Burks, the CTO and Co-Founder of Ivizone from France says,

The new policies haven’t had a huge effect on our business. This could largely be due to the fact that French law already had quite stringent requirements around data protection and privacy. GDPR did force us to take data privacy into the core of our products, and think of it from the ground up, however as we are developing a new release for our product, we were able to do this in a clean and efficient manner.

Sidney also adds that GDPR has forced the businesses to get their data houses in order. They have now added additional policies to delete stale and unnecessary data and reinforced their internal security policies around data storage and access. This means that they provide a higher level of data security to their clients.

So, if your business or organization handles and processes user data, you should be concerned about your user data security. You are obligated to be GDPR compliant in this case. If your business does not comply with the GDPR law, you may face heavy penalties. 

The highest penalty for the severest deviation will cost you 4% of your global turnover or 20 Million Euros, whichever is higher (more about penalties in later sections).

The GDPR Law applies to ____?

There is a huge confusion about who the law applies to. There are few sources that talk about EU citizens and there are others who talk about EU residents.

The confusion arises as people with GDPR rights are referenced as “data subjects”. But who are these data subjects? 

Data subjects, who are they?

Does the GDPR apply to all EU citizens’ data?

Or does it only apply to people who reside in the EU? 

Data subject are defined as a natural person whose personal data is processed by a controller or processor. The controller or processor could be a business or an entity employed by the business that specifies the data processing funnel. 

The term “data subjects” doesn’t have a specific definition. In fact, it is a connotation. GDPR requires businesses to protect the privacy and personal information of EU citizens under any transactions that occur within EU member states. According to Cyber Counsel, any person present in the EU member states at a given point becomes a data subject. 

What are the kinds of data that is subject to scrutiny?

The GDPR considers any and all personal data concerning a natural person as a belonging of that person. The kind of data may include:

  • Digital Information
  • Biometric Data
  • Genetic Data
  • Encrypted Data
  • Personal Data

The rights of a data subject:

1. According to EU GDPR, you can either choose to be a data subject or not. What it means is that you can refuse to get your data processed and by doing so, you will be exercising your right to not be a data subject.
2. If you choose to be a data subject, you have the right to be informed about your data. You hold the rights to seek all information processing that involves your personal information.

3. You are also given full power and authority to change your personal data or withdraw your data at any given point. This is the main reason why businesses should provide checkbox options (discussed in the above section) to give the user more freedom and power to get their consent.

4. A data subject can also object processing of any/or all of his/her data if s/he thinks that the data being processed is inaccurate or incorrect.

5. A data subject can also object to or resist the transferring of their data from one service provider to another. In addition to this, as a data subject, you can also request to delete your data from the records. But this right may not be earned by the data subject if the data being processed is for legal purposes, public health purposes, research purposes etc.

In short, it applies to all EU residents irrespective of the location of the business, organization or their citizenship. And, breaching the rights of the data subjects attracts heavy penalties. 

What are the factors that determine a penalty?

1. Past Violations – If you have a history of violations, either from GDPR point of view or the previously active Data Protection Directive, this will be a factor that determines the penalty amount.
2. Cause – The violation could be intentional and for profitable purpose. Or it would have been the result of a negligible step. Either way, the decision-making body sets the penalty amount depending on the cause.
3. Type of information – It depends on the classification of information used. For example, a company might have used genetic or biometric data of a person(s) for business purposes. This may attract a higher penalty than information like employment details. Again, the penalty is set entirely within the EU laws’ discretion and boundaries.
4. Solutions and Measures – If you have taken steps to mitigate the damage caused to a person or group of people directly affected by your business, this will also become a deciding factor.
5. Preventive measures – The EU has had a transition period of 2 years before coming to effect and full enforcement in May 2018. If your company has taken measures to stay compliant with the GDPR laws and yet, an infringement has occurred, this will be a point to highlight before the penalty is set.
6. Intention – If the data damage was intentional, this could be a trigger for a penalty.
7. Co-operation and Relations – If the business has been obliging to co-operate with the supervisory authority to repair the damage and possibly reverse the violation, this acts as a positive which may reduce the penalty.
8. Reporting – If the violation was proactively reported by the violating body itself or it was brought to notice by a secondary source.

Please note that none of the above factors guarantee a specified penalty because the determination of fine is completely within the EU laws’ discretion.

For more information, refer to the core principles that lead to the GDPR Law enforcement here

Appointing a Data Protection Officer (DPO)

The data being processed in your business may have to undergo monitoring. If you need help in organizing your business to comply with GDPR, the EU body advises to seek expert consultation.

Each of the EU Member States may nominate one or more independent public authorities to help monitor the data laws’ compliance.

According to GDPR, Data Protection Officers should be appointed if your business operates at the following levels:

1. Organizations that act as public authorities

2. Companies that deal with large-scale data aggregation and monitoring

3. Companies that deal with large-scale processing of crucial personal information

5 Myths about GDPR

1. US companies are heavily affected – All companies (not just US companies) with EU customers should comply with the law.

2. Small business owners need not worry about GDPR – A business small or big: if it handles user data, it should be GDPR compliant.

3. User consent is not mandatory if the user is choosing to enter their personal information during subscription – Explicit consent from the user in the form of a checkbox is mandatory from May 25, 2018.

4. If you are not doing business inside the EU, you shouldn’t be concerned – If you are a business dealing with EU citizen’s data, irrespective of the citizens’ location, GDPR applies.

5. User data is only the data provided by users – Any data collected, generated, modified, morphed or acquired in the form of cookies, user behavior is still user data.

Conclusion

If you are a business with a website that collects personal information of data subjects, you are now obliged to implement legally compliant ways to acquire user information. For example, if you have a pop-up or subscription form on your website, the only way to ensure you are getting the consent of the user is by:

  • Implementing the double opt-in method that pools in only interested members with consent.
  • Giving the user the options to choose to regulate his/her data.
  • Giving the user the option to unsubscribe.
  • Ensuring all the third party services you use are GDPR compliant.
  • Keeping your data acquiring procedures in check.
  • Communicating your privacy policies in a transparent manner.
  • Designating a Data Protection Officer or educating and train your business to avoid the data breach.
  • Ensuring regular data audits and accessibility.
  • Minimizing the data you hold and process.

Disclaimer: The information above is solely for reference and informational purposes. It does not stand as legal advice. Please seek legal counsel for any further advice.

Roshni Shaikh

Roshni helps entrepreneurs to communicate with their audience in a voice that connects and conveys. She helps you spread your message through words that inspire, educate and emote. Her mission is to bring clarity to your content so that you build authority as a business. While she is not writing for the web, she is reading her favorite books on Kindle or playing Chess. She also loves traveling and speaking at networking events. You can find more of her work at https://contentprimer.com/

Pin It on Pinterest

Share This