If you got a mail talking about GDPR last week let me see your hands?
Quite a number of us got mails intimating us about new permissions as regards our data few days to the compliance deadline of May 25, 2018. The best part was we got emails from list of companies we did not even know we subscribed to. A friend’s post on social media was like “When did I subscribe to this number of websites sef?”
However, as companies all over the world continue to take steps to ensure preliminary compliance with the GDPR, it is important we get to know some of the important details of the regulation. As only a few number of companies in Nigeria have caught the buzz in setting up GDPR compliance processes, it is important to note that if you have any form of business that transactions could affect an EU country, it is pertinent that you are away of the neccessary provisions. In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected.
A major focus of GDPR is on conditions of consent that have been strengthened. Companies will not be able to use vague or confusing statements to get you to agree to give them data. The best part is that, consent must also be easy to withdraw and for children under 16, a person holding “parental responsibility” must opt in to data collection on their behalf.
It gets better; you will be able to access the personal data being stored by companies and find out where and for what purpose it is being used; including the right to be forgotten. This means you can ask whoever is controlling your data to erase it and potentially stop third parties processing it.
Tela.uk lists some 10 things you need to know abaout the GDPR:
- The new GDPR will begin from 25th May 2018. Businesses have until then to prepare their data until the law actually applies to them.
- If your company suffers a data breach that goes against the new regulations, you must notify the Information Commissioner’s Office (ICO) within 72 hours of the breach. This short deadline gives you the chance to report the nature of the breach and the approximate amount of people that have been affected by it. The people affected should also be notified, even if this takes place before reporting it.
- Not complying with these new regulations could result in a penalty. If a breach is not reported within the 72-hour deadline, there is a risk of being fined up to €10 million or 2% of your global annual turnover – the fine will be based on whichever one is greater. Furthermore, the ICO can inflict a total ban on all data processing within an organisation, if found to be in breach of the regulations.
- Personal data now covers a huge range of information including photos, bank details, social media names and posts, medical information and IP addresses.
- Pre-ticked boxes or users having to actively opt out of communications will no longer comply with the new regulations. Instead, a double opt-in process will become essential. Prospects will have to tick a box to sign up for marketing communications and then confirm by a further email.
- Full records of all data that has been processed by an organisation including the type of data and its purpose, will all have to be kept on record. Much more detailed descriptions of the purpose of data collection will have to be given to all participants.
- Consumers whose data you have collected now have the ‘right to be forgotten’. If requested, their data must be completed erased. This would mean that the controller of the data is responsible for telling other organisations linked to them e.g. Google, to delete all copies of the data.
- If a consumer does request access to their data, you will no longer be able to charge them a fee for complying with this request. As an organisation, you have 30 days to complete the request and disclose the information.
- Even though Article 50 has just been triggered, it will be another two years before the UK officially leaves the EU. Therefore the GDPR will still apply to the UK during the next two years.
- Organisations that come under public authorities, organisations that engage in large-scale systematic monitoring and organisations that process lots of sensitive personal data will all need to appoint a Data Protection Officer.
According to the EU, stronger rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field. In the next few months we will be on the look out to monitor compliance and applications, however, we cannot underemphasise the importance of data security in a rapidly evolving world.
Back to the first question I asked, did you get any mail on GDPR? Lets hear how you felt and what you think about the new regulations.