Are You Ready for the GDPR?

Europe approves tough new data protection rules — we walk you through the new requirements.

What is the GDPR?

By now, you have heard of the GDPR: the General Data Protection Regulation. It is a European privacy law, approved by the European Commission in 2016. The GDPR is an attempt to bring data protection legislation in line with new, previously unforeseen ways that data is now used.

The goal is to strengthen, harmonize, and modernize EU data protection law to provide more control over the way personal data is used. It serves to enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right.

If you represent the interests of a retail organization or are a vendor for one, you need to know what GDPR means for you.

"...every infringement of your data protection rights, of your privacy rights, have to be justified..."

Jan Philipp Albrecht | Member of the European Parliament

Why is the GDPR Important?

The GDPR puts the consumer in the driver’s seat, leaving your business with the task of compliance. If you don’t want to be subject to high fines, it’s time to become GDPR compliant.

Location

If your organization offers services or goods to citizens and/or residents within the EU, you are subject to the GDPR compliance, even if your organization is not located in the European Union.

Data Protection

The GDPR touches every data process and forces organizations to know and understand their data from a 360-degree perspective.

Effective Date

There will not be a “grace period.” Organizations impacted by the GDPR must be compliant when it takes effect on May 25, 2018.

Penalties

There are tough penalties if you fail to comply. Fines of up to €20 million or 4% of global annual turnover, whichever is greater. Enforcement action will extend to countries outside of the European Union, where analysis on EU citizens is performed.

7 Principles you Need to Know to Comply

01 . Start with Legal Basis

You need to begin with ensuring you have legal authorizations in place, allowing you to process personal information. This includes but is not limited to:

  • Obtaining consent for using personal data;
  • Contractual obligations to your consumers;
  • Compliance with other legal obligations you are subject to, etc.

02 . Comply with Processing Requirements

The GDPR dictates strict requirements for personal data processing. The GDPR states that data must be:

  • Processed lawfully, fairly and in a transparent manner for your consumers;
  • Collected for specific legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which the data are processed;
  • Accurate and kept up-to-date;
  • Stored for no longer than is necessary for the purposes for which the personal data are processed;
  • Processed in a manner that ensures appropriate security of the personal data, preventing data loss and breaches.

03 . Obtain Consumers’ Consent

The conditions for obtaining consent are stricter under the GDPR, as the individual must have the right to withdraw consent at any time. In addition, there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities. This means you have provide proof that the consumer agreed to a certain action. Keep in mind that:

  • Consent must be specific to each use and/or processing activity, and separate from registration terms and conditions;
  • Silence, pre-ticked boxes, or inactivity does not constitute consent; your consumers must explicitly opt-in to the storage, use, and processing of their personal data;
  • In the event that services are provided to children (below the age of 16 years), personal data processing will be lawful only if consent is given by parents.

04 . Provide Data Management Rights to Consumers

The GDPR provides your consumers with the right to manage their personal data in your system and delete it at any point of time. It is your obligation to ensure you provide these rights to consumers:

  • The right to be forgotten: The consumer may request that an organization delete all of his/her personal data without undue delay;
  • The right to object: The consumer may prohibit certain data uses;
  • The right to rectification: The consumer may request that incomplete data on their profile be completed or that incorrect data be corrected;
  • The right of access: The consumer has the right to know what data about him or her is being processed and how;
  • The right of portability: The consumer may download his or her personal data held by one organization and transport it to another.

05 . Ensure Security of Personal Data

The GDPR requires that you put in place technical and organization measures to ensure an appropriate level of security that protects personal data during processing. While this gives you flexibility, here are some common security safeguards suggested by the GDPR:

  • The pseudonymization and encryption of personal data;
  • Tracking of all data processing activities;
  • Data transmitting only through secure protocols (HTTPS, TLS);
  • Additional security measures like MFA;
  • Data minimization to ensure personal data that is not required for a specific processing activity is not collected or processed;
  • Data deletion once it is no longer required, etc.

06 . Inform of Personal Data Breach

In the event of a data breach that poses a significant risk to personal rights or freedoms of your consumers, you are obligated to:

  • Notify every consumer whose data were breached;
  • Notify the supervisory organization of a data breach within 72 hours of becoming aware of breach.

07 . Adhere to “Privacy by Design” Principle

“Privacy by Design” and “Privacy by Default” are not new. The GDPR merely recognizes this right and requires companies to have a mindset that considers data privacy at all stages of the development process for products, processes, or services that involve processing personal data.

  • Start with GDPR awareness in your organization—everyone who deals with consumer data should know and adhere to all data privacy requirements;
  • Conduct regular risk assessments and implement mitigation responses to identified risks;
  • Hire/train a designated Data Protection Officer to oversee GDPR compliance at your organization;
  • Design new applications and business processes, or update existing ones, with data privacy in mind;
  • Make sure that all your vendors or partners do the same.

Want to know more?

Contact SoftServe today to jumpstart your GDPR compliance effort.