Cambridge Analytica misuse of Facebook user’s data gained attention of millions of people around the globe. It made people realize the importance of data privacy & data protection, more than ever before. With people getting so much concerned around increasing scrutiny about data privacy & security. Big thanks to European Union who sense the issue how organization store, process, analyze & use personal data of customers & made a strong regulation – GDPR determining strict new rules around protecting customer data.
So, what does this regulation states, let’s find out in this article.
What is GDPR?
GDPR or General Data Protection Regulation, is European union law that can impact any company who holds or processes data for EU citizens. It is framed to make provisions for businesses to protect personal data of EU citizens during transactions within EU member states.
Data issues have been major news over past few months, with major tech magnates coming under fire for poor data management and security. GDPR forces companies to take care & handle personal data of citizens in a reasonable manner. Therefore, it makes sure the way they use the data, aligns with public expectations and privacy. Under this law, organizations must also only hold and process data which is absolutely necessary.
The GDPR aims to protect data privacy which includes:
Basic information like name, address, ID numbers, contact details etc.
- Biometric Data
- Racial/Ethnic Data
- Political Opinions
- Web Data like Location, IP Address, Cookie Data etc.
Although GDPR will be enforced on 25th May, 2018, but the idea came into being two years back in April 2016.
According to GDPR, Personal Data should be:
- Processed fairly and in a transparent way, the customer should be well aware how his/her data is used or will be used.
- Recorded for specific and legitimate purpose only.
- Maintained accurately, should be updated & use only where it’s necessary.
- Prepared & handle in a manner that ensures data protection.
Why GDPR is needed?
Reason behind drafting GDPR is European Union’s desire to bring Data Privacy & Data Protection law in line. Like how people’s data is used especially by platforms like Amazon, Facebook, Google, Twitter who pack users with ADware as long as these tech giants are selling user’s information to them. The dangerous results of giving such vast permission was clearly illustrated in Cambridge Analytica case, where millions of profiles were harvested to influence 2016 US Presidential elections.
Next reason is to rectify those data issues which Internet & Cloud is allowing these platforms for using & abusing public’s personal data.
What type of companies comes under this regulation?
- Any company which stores, or control EU citizen data within EU states.
- No matter if the company is not in the boundaries of EU, even if the company has European clients & it stores their data in any manner. That particular company will also be viable under GDPR.
- Company with more than 250 employees.
- Less than 250 members, but its data processing system affects data subject, or includes sensitive piece of information about European residents.
This basically means, almost every company has to consider GDPR, a top most priority among their corporate goals and regulations.
What does GDPR mean for organizations?
Any organization that holds and uses the data of EU Citizens, is abided to follow the new rules under this law, regardless wherever the company is based. Till now companies used to mine the data by accumulating it through various means. But this will be ceased for now. All the organizations that wield user’s data by tracking their online behavior have to gather consent from customers in user friendly language and they can use this set of data over a limited period of time.
What does it mean for a layman?
Since it is mandatory for organizations to consent their users before seeking into their personal information. Users will be encountering warnings and consent requests frequently. It’s a collective effort, so users are also advised to go through the terms and conditions at least once.
What changes do businesses have to implement?
Due to coming of General Data Protection Regulation, companies have to adopt various approaches in order to store and process personal data with individual’s consent.
- Make sure you have a secure place for storing all your sensitive data. Ensure the data is accurate & confidential. Available whenever required, well encrypted and backed up.
- Remember your suppliers are also GDPR compliant. Any service provider you use to process data has to comply with GDPR standards.
- Report Information Commissioner’s Office (ISO) if any breach of data happens, it must be reported within 72 hours. You just need a touch process which can quickly detect and respond to data breaches.
- Be updated, because lot many queries will arise, as people will be more aware of their data privacy rights. They likely to enquire how data you are holding and using, so you need to be very receptive to those requests.
- You will be needing to appoint a DPO who can ensure the protection of PII with no conflict of interest. Depending on the organization, it’s not necessary to hire a DPO for full-time. You can also hire a virtual DPO who can act as a consultant & work when you need it.
- You are required to create a revised & updated data protection plan that aligns with GDPR requirements.
- Small companies may get significantly affected by GDPR than others. They may not have appropriate resources to meet GDPR requirements – Outside resources, advisors & technical experts can be a great hand for them through the process and minimal internal disruption.
- GDPR asks for complete transparency. So users can ask anytime to erase their data, ( i.e right to be forgotten). Make corrections with the data and can even control their data by following a formal structure. And in case data breach happens, they should be notified as soon as possible.
How technology can help businesses to become GDPR compliance?
With arrival of GDPR, companies should devote resources in order to safeguard data from breaching, to risk management & compliance. Even if your company doesn’t lie in the EU, GDPR covers all the data of EU citizens in case your company handles that data, it must comply with the regulation. Due to excessive amount of data being processed & handled, this regulation is reported as one of the priciest regulation in history. It is quintessential for companies to clearly define & meet policies and procedures under GDPR law to be a compliance. So the organizations should pull up their socks before this laws comes into force otherwise a potential 4% fine based on global revenues or €20 million (whichever amount will be greater) will be charged.
Below mentioned are some great technologies which can help companies to fulfill the demand of GDPR.
Data Management and Security
Protecting the data of a company means restricting the unauthorized access to it. Data is prone to breach even if its location is public, so initial towards blocking the intruders from infringement is to safeguard the location where the data is stored. In order to secure the data, it is necessary to encrypt it with certain algorithms to build a wall against data breach. Ever since the adoption of Cloud Computing, organization can settle on thought that their data is stored well protected and beyond the reach of any physical damage. Encrypted data eliminates the need of a data protection officer to keep a watch on it, as a decryption key must be provided to read, edit and manage the data. In addition to security mediums, organizations need to maintain information audits to monitor the transactions of data like from where it came, how long it persisted in database and how it was shared thus accounting to a better data management.
It is one of the most emerging technologies for the past few years, which certainly holds a lot of power itself and proved its worth over time. Blockchain enables the data storage in distributed ledgers, where it is kept encrypted by cryptography. Storing the data in distributed ledgers means decentralizing the data among various geographic locations and people which serves to be “witnesses” in case of a cyberattack. The data stored in these ledgers is immutable i.e. it cannot be edited or deleted. It mitigates the probability of a successful attack to almost nil since every distributed copy must be attacked simultaneously.
Every organization must focus API management architecture to adopt the rules to gather consent for content acquisition and informing users about regulations of data access. It is a faster and cheaper platform, as it mitigates the amount of time required by a developer to connect the technology with an organization.
How GDPR will impact Tech Industry?
According the tech industries, GDPR is “the most disastrous compliance challenge in the history”. GDPR is all set to alter the system of gathering and using user data. Various tech companies are going to face challenges to be ready for being a GDPR compliance. The major challenge for all the companies who have been manipulating the user information lately is to document all the “personal data” of the user. There are certain guidelines which depicts what all to be categorized under “personal data”. Companies would have to hand over the data in a downloadable format or delete it on request. This entire procedure will need more employees to be hired by the companies which won’t be cheap at all. Cloud Computing Companies are the ones who are going to get hit worst since the users may ask for deletion of their entire data, which would be a problem for cloud storage provide which host and store data on behalf of other companies.
Only a few companies have reported for readiness for data privacy compliance, rest has to spend a fortune in being one.
GDPR and Social Media
Facebook that owns photo sharing platform “Instagram” is soon to launch a tool which will help users to download their personal data which will include photos, videos & messages. As it prepares for the EU GDPR, this tool will help the users to find out what information they share with Instagram. As per reports, Instagram Spokesperson said, “We are building a new data portability tool. You’ll soon be able to download a copy of what you’ve shared on Instagram, including your photos, videos and messages.”
As GDPR aims to give right to the customers that – they can demand deletion of data, or opt out of future data collection, or asks for the copy of data they are using to forward to different platforms. There will be soon more details about the tools, its features. But for now it will allow you to download & export what you’ve shared with Instagram.
The message for organizations is to be aware of your databases like where your sensitive information or data is stored, who has access for it, and who should be having access for it- will however become a crucial issue.
All the mid and large-sized organizations need to be ready for GDPR compliance by May,2018. Furthermore, GDPR offers a great opportunity for organizations to upgrade their security capabilities. Though it may vary the mindset of various business organizations since till yet they were treating their data as an asset and were mining it without any regulations but from now these organizations will have to be much more granular about their accumulated data and the data flow.