The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and when it comes into effect on May 25th, 2018, it intends to give European citizens back control over their personal data. Its impact won’t just be felt in Europe though, as it will have wider implications for companies across the world that hold data on the continent.
They have been designed to give power back to citizens over how their data is processed and used.
1. Obtaining consent
Your terms of consent must be clear. This means that you can’t stuff your terms and conditions with complex language designed to confuse your users. Consent must be easily given and freely withdrawn at any time.
2. Timely breach notification
If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. Failure to report breaches within this timeframe will lead to fines.
3. Right to data access
If your users request their existing data profile, you must be able to serve them with a fully detailed and free electronic copy of the data you’ve collected about them. This report must also include the various ways you’re using their information.
4. Right to be forgotten
Also known as the right to data deletion, once the original purpose or use of the customer data has been realized, your customers have the right to request that you totally erase their personal data.
5. Data portability
This gives users rights to their own data. They must be able to obtain their data from you and reuse that same data in different environments outside of your company.
6. Privacy by design
This section of GDPR requires companies to design their systems with the proper security protocols in place from the start. Failure to design your systems of data collection the right way will result in a fine.
7. Potential data protection officers
In some cases, your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.