The amount of personal data that organizations collect, process and store to support customer services has grown exponentially in the past decade. Consequently, the growing concerns about privacy and threats to personal data led regulatory authorities to take action. The EU adopted the General Data Protection Regulation (GDPR) in 2016 to replace the 1995 Data Protection Directive. GDPR came into force in 2018 to meet the new challenges and the new reality.
Table of Contents
- What Is GDPR?
- 8 Main Customer Rights Causing GDPR Impact
- How Does GDPR Affect US Companies?
- How to Be GDPR Compliant?
- Data Backup: Critical GDPR Compliance Tool
What Is GDPR?
GDPR is the acronym for General Data Protection Regulation, the law that specifies the personal data protection rules and requirements for organizations in the EU.
This means that GDPR applies to organizations that operate in the European Union or process the personal data of EU citizens, even if the organization is working outside of the EU.
Thus, if you have customers from the EU or plan to start operating in the European market, must comply with the GDPR requirements, no matter where your organization’s headquarters is located.
The law came into force on May 25, 2018. The United Kingdom has its version of GDPR, which is almost identical to the GDPR but adapted to local legislative principles.
8 Main Customer Rights Causing GDPR Impact
The General Data Protection Regulation Act’s basic principles can be covered in eight points. At its core, GDPR states that individuals have the right to:
- Access. GDPR mandates organizations to provide customers with access to their personal data on request. Customers can also ask about the usage of their personal data after it has been collected. The organization concerned must provide a copy of this data free of charge and in electronic format.
- Be forgotten. If a customer doesn’t want to be a customer or use the organization’s services any longer, that customer has the right to demand their data be deleted, and the organization is obligated to dispose of it properly.
- Data portability. An organization must provide customers with the possibility of data transfers to a different service provider. Personal data must be transferred in a machine-readable and commonly used format on the customer’s demand.
- Be informed. An organization must inform an individual about collecting personal data before taking action. Individuals must have the opportunity to forbid data collection. Clear consent must be provided freely by the customer and not implied in any way.
- Have information corrected. Whenever an individual’s personal data is incorrect, incomplete, or outdated, they have the right to ask that this data be updated. An organization must provide the required opportunity and apply the updates.
- Restrict processing. In case an individual asks that their data may not be processed, an organization can store the data but can’t use it.
- Object. An individual can forbid using their data for direct marketing purposes. An organization must stop any processing right after receiving a customer’s request. Additionally, customers must be clearly informed about this right when an organization starts interacting with them.
- Be notified. In case of a data breach compromising personal data, an organization must notify customers no later than 72 hours after the first information regarding the breach was acquired.
In conclusion, the GDPR act aims to give customers, prospects, contractors, and employees additional levers to influence how organizations use their personal data. Individuals can now allow or deny such use if an organization is collecting and using such data for financial profits.
How Does GDPR Affect US Companies
According to the GDPR document, the law defines and ensures the rights of EU citizens regarding their personal data. Thus, GDPR can’t be directly applied just to any organization from the USA. However, an organization based in the USA or with headquarters in the USA should maintain GDPR compliance in certain circumstances.
According to Article 3 of the GDPR, the act applies not only to the EU organizations but also to those outside the European Union that monitor, store, or process the personal data of EU citizens.
If your US organization falls under one of the requirements that follow, the GDPR is applicable regardless of an organization’s scale in such terms as size or revenue:
- An organization provides services or goods to EU residents. In this case, a US organization must maintain GDPR compliance even if that organization has no signs of official presence in the EU.
- An organization tracks the behavior of individuals in the EU. The GDPR covers personal data such as names, contact details, biometrics, pictures, videos, and device parameters (IP address, for example).
How to Be GDPR Compliant
The main idea behind the GDPR act is privacy. To maintain the appropriate level of customer data privacy to comply with GDPR, an organization’s departments must thoroughly analyze their data and how they use it.
Whether you are only making your first steps on the road to GDPR compliance or checking how compliant you are, the following recommendations can help you find the right points to focus on.
1. Have a data map
Create a map of the personal data you collect. Check where you receive, store, process, and use that data. Identify employees, customers, and contractors who have access to that data. Also, check what risks exist for the personal data you record. The latter can help you achieve GDPR compliance and improve your relationship with customers.
2. Determine what should be kept
Store only the data you need to provide your services and dispose of anything you are not using. An organization can collect lots of data without gaining real profits from it. If that is your case, evaluate the value of every data you store. To ensure GDPR compliance, you should treat personal data with discipline and thoroughness.
During the data clean-up, consider the following:
- What is the reason for archiving and not disposing of this data?
- What are you saving this data for?
- What’s your goal behind collecting different types of personal data?
- Would disposal of this data bring more profits than encrypting and storing it?
3. Ensure data security
Avoiding data breaches in a network is impossible without implementing security layers and safeguards in the organization’s environment.
Antivirus software, spam checkers, anti-spyware monitoring, adware blockers, malware detectors, and other solutions should be carefully picked and tuned to strengthen your infrastructure’s resilience. Data encryptors, network firewalls, switches, and protected routers should be used to add even more security.
With data security measures in place, your organization has more chances to avoid breaches and data loss. Additionally, up-to-date monitoring solutions can help you identify breach attempts and, in case an attempt is successful, notify appropriate authorities, customers, or contractors.
You should also ensure that you check the data security approaches throughout your entire supply chain. The fact that you pass on certain functions to outsourced workers or organizations does not mean that you are not responsible for compliance.
4. Review documentation
GDPR requires organizations to get explicit, clear consent from an individual who allows the collection, processing, and storing of their data. An implied consent or a preset checkmark in a box is no longer considered legal.
Your disclosures and privacy statements may require adjustments according to the GDPR rules, and you may need to conduct a full-scale documentation review.
5. Set workflows to handle personal data
As said above, GDPR grants an individual eight fundamental rights to ensure personal data privacy. Your organization needs to develop the appropriate procedures and policies to maintain compliance.
Here are some points to consider:
- How can you get legal and clear consent from an individual?
- Which workflows will your organization have to complete in case an individual demands the deletion of their personal data?
- What do you need to check if personal data is actually deleted from every data storage that your organization has?
- How will you complete data transfer in case an appropriate individual’s demand is received?
- How can you ensure that the person requesting any changes to the data is exactly that data owner?
- If your organization suffers a data breach, how will you notify the appropriate authorities and concerned individuals?
Data Backup: Critical GDPR Compliance Tool
When considering how to comply with GDPR, leaders and managers tend to concentrate on processes and security measures that reinforce production environments. However, security measures don’t guarantee that your production infrastructures will remain protected from malware and hacking threats.
You need a contemporary data protection solution to keep control over the data that your organization stores and protects and remain GDPR compliant even after your production infrastructure is down.
“Contemporary data protection solutions enable you to set automated backup, recovery and replication workflows to have critical data and machines protected and available during any incident. Additionally, most advanced solutions are packed with security features like ransomware protection, role-based access control, two-factor authentication and data encryption, which can not only enhance data protection for companies but help them remain GDPR-compliant,” says Veniamin Simonov, Director of Product Management at NAKIVO.
“Therefore, using such solutions, you can significantly strengthen the IT infrastructures of SMBs and enterprises with a small investment. The cost becomes even lower when you compare possible non-compliance fines.”
GDPR impacts all organizations working with the data of EU citizens, regardless of the organization’s residence. To remain compliant with GDPR, organizations must map their data, determine which data they keep, check the documentation, and ensure proper processes and data security.