After four years of preparation and debate the GDPR was finally approved by the EU Parliament on April 14, 2016. The enforcement date for this has been identified as May 25, 2018. Post this date, organizations that are in non-compliance may be imposed with heavy fines.
General Data Protection Regulation (GDPR) applies to all organizations processing the data of EU data subjects – not necessarily only to the organizations based in the EU. This will come in effect from May 25, 2018.
We, as individual users, are pushing (personal) data into the digital world all the time – be it to shop online, make a banking transaction, share documents/ pictures, and so on. Though we are aware of data privacy and data breach instances, how seriously do we consider it every time we feed data into an online platform? And, it’s not only about individual users being concerned about the misuse of personal data – it’s also about boosting data security at an organizational level.
As per the Data Protection Directive, the ruling that’s currently prevalent, EU member states had the flexibility to implement the directive as they found it fit. This, allowed different organizations to follow distinct methods/approaches to deal with customer data – ranging from securing it to using the information. This distinction, at times, created a lot of ambiguity and gave rise to diverse levels at which data privacy and security was placed. GDPR as a regulation is designed to unify all the different approaches and bring into practice a common standard of data security, which all EU members will strictly follow. This ruling aims to simplify and standardize the guidelines for the protection of personal data.
There’s a lot of buzz surrounding the implementation of GDPR and compliance. Different theories are doing the rounds, some of which are intimidating business owners. We will talk about them in our 3-series blogs on GDPR and compliance Here, I am highlighting a few of the commonest myths that are confusing decision makers in organizations around EU, and elsewhere. Check them out to see if you too were misled…
If you are doing B2B or B2C business where you are managing personal data and work through vendors or third parties, how are you complying with requirements of data protection?
Reality: It’s not enough to just have opt-in consent forms in websites and mobile apps. Clear instructions and easily comprehensible terms and conditions are equally important. The use of simple language is also a prerequisite; children under 16 should also be able to understand the terms effortlessly. However, with children below 16, parental consent is required.
In addition to the language, the design of these forms should be clear and simple – particularly in terms of navigation. One will also need to store/capture agreement information on consent.
Reality: The user, while unsubscribing and opting-out, expects the company to delete his/her data from all sources – everything that’s saved on devices (laptops/ desktops/ mobile) and everything that’s saved on the cloud. This is one of the riskiest areas; companies are looking for ways to automate this.
Once GDPR goes into effect, organizations will have to have a complete hold on all user data to be able to identify it and erase it from all sources. And this, will be quite a task in itself.
Reality: As against other certifications, GDPR is a self-assessment regulation. Companies carrying personal data of EU citizens will need to audit and assess the data at a defined frequency, against the set articles on GDPR with the following controls:
Reality: No; in fact you could now streamline the process and better cater to customers. Going forward, all the data would have to be documented precisely, which means you can better utilize the information to customize the experience for both, the organization as well as the individual customers. With the obtained data, you can personalize it for users who have opted in (for personalization). You can further ensure that there are logs enabled and that the data is traceable from all sources, such as websites, social channels, and others.
With GDPR in effect, websites will require permission to store/ use user information and there shall also be the need for an upfront declaration stating how the data and for what purpose it is going to be used.
There are CMS platforms that can help you to establish the above, such as Sitecore, which comes with GDPR compliance features and allows the storage of information in encrypted form.
Checkout this space for more updates on the use of data post GDPR implementation.