By: Umeed Kothawala, CEO and Co-Founder Extentia
Soon to be hailed as the most momentous law passed with regard to data protection, GDPR is set to change the way data is managed.
What is it?
GDPR stands for General Data Protection Regulation, its aim – to protect the personal data and privacy of all citizens in the EU, and limit its export. The date is set – May 25, 2018 – GDPR could be the first law to hold companies of any size, accountable for the data that they collect, store, analyze and use. This would mean all entities that – have a presence in the EU, process the data of EU citizens, have more than 250 employees or whose data-processing impacts the rights of data subjects have to be GDPR compliant. The data subject is also granted rights under GDPR – right to be forgotten and to access information. Any EU resident can demand the right to access information about them or they can demand to be forgotten, which would mean all traces of them must be removed.
What does it protect?
GDPR largely focuses on protecting Personally Identifiable Information (PII) – basic contact information, web data, health and biometric data and other social data which can be used to identify any specific individual. There are three parties responsible to ensure compliance with these regulations. The first would be the data controllers, who acquire and utilize this data. The next is the data processors, who seek and subsequently work on the data – acting as service providers to controllers. The final group would be the data protection officers who are appointed internally or externally, to respond to all queries and ensure compliance with GDPR.
How can we implement it?
In order to use personal data, the involved parties must implement new measures to ‘Pseudonymize’ data, along with data protection measures being applied at the earliest. Companies can follow six steps to implement GDPR. The first would be to understand the GDPR legal framework. Then create a data register and classify the obtained data as per necessity. The fourth step is crucial, it includes a privacy and data protection impact assessment of policies within the organization. The subsequent step is to access and document additional risks. Finally, to stay compliant, organizations must revise the previous steps, adapt and repeat them consistently.
Price of non-compliance?
GDPR needs all data handling entities to obtain explicit, oral, written and specific consent for every instance of data captured. The consent must be taken with an affirmative act. During the data collection, the companies are expected to explain how and why the data is obtained. They must also re-obtain consent, if the methods or the usage of data changes. If the companies do not obtain consent or if it is not verifiable, then they are at the risk of non-compliance.
As per Article 13, these companies are also required to provide information to the relevant customers about the data controller, data processing involved, and length of retention of data, protection measures and ways to exercise the customer rights GDPR provides. To adhere to Article 22, the companies must restrict the use of intelligent algorithms in decision making and profiling of individuals. The algorithms used for analytics may have a significant effect on data capture.
If any of these specifications are not met, then the company can face penalties as high as €20 million or 4% of their annual turnover, whichever amounts to a higher value.