The General Data Protection Regulation (GDPR) created by the European Parliament and Council (Journal Reference: L119, 4/5/2016, p. 1–88) will take effect and become the new regulatory standards that all internet operating companies must abide by and adhere to.
Here is a basic guide to help you understanding GDPR.
- Who created GDPR?
This law was created by the European Union to replace Data Protection Act 1998 and act as the new law on data privacy.
- Who will be affected by GDPR?
This law gives citizens and residents of the European Union control over their personal data and all kinds of data collected by organizations and businesses operating within or in a partnership with the EU.
This regulatory update comes as a reaction to recent revelations of data leaks, breach of trust, and lack of transparency and misconduct by certain internet companies and advertisers.
The data affected ranges from collecting personal information and banking details to behavioral tracking, advertising rights, IP addresses and anything in between. GDPR is expected to change the way businesses collect, store and use customer data.
This law affects companies that handle EU resident’s data regardless of size and location.
- Data collection restrictions
Companies and their associates are expected to comply with this law by:
- Collecting data relevant to the needs of the business directly
- Ensuring transparency by acknowledging what information are they collecting about their users and the importance of this information
- Making sure that the Terms and Conditions Agreement is clear and valid and that the customer is giving the needed consent
- Stating how long this data will be collected, why, and how will it be possibly used
- Failure to comply
If a company is proven to have failed to comply with these regulations, the said company is expected to face penalties that may be as high as 20 million Euros or 4% global turn over and the public loss of trust.
- Companies implementing GDPR
It is expected from companies to conduct the following:
- Include GDPR in the terms and conditions (T&C) of their service and make it clear
- Inform the customer/user that your company complies with GDPR standards
- Include the relevant information about GDPR compliance in customer communication mediums (emails, sign up forms, and other modes)
- State the type and nature of the information that will be collected
- GDPR and customer’s rights
Under GDPR, customers have the:
- Right to transparent communications
- Right of access
- Right of rectification
- Right of erasure
- Right to object direct marketing
- Right to data portability
Additionally, companies must be able to properly store the data and have the ability to transfer the data into another system or implement automated systems that do not pose threat of violation of the law.
Data breach is considered a serious matter and authorities must be notified within 72 hours.