Article: GDPR
What is GDPR? Why is it considered to be a threat to IT industry right now? What will be the impact of GDPR in business? We have it all covered.
Can you think of your day without internet? We are consistently connected to the web through our smartphones, and sharing a magnitude of data without our knowledge. For example, the sites we visit, the posts we make on social media, personal details like name, address, contact details, bank details etc. But have we ever stopped to think what companies do with them while giving out such personal data? All these information are stored digitally.
Companies give us the idea that they are collecting data to serve us better. As most of the businesses now have a digital presence, through collecting personal data companies offer more targeted and relevant communication to improve customer satisfaction.
But is that all?
Here comes the new European privacy regulation called GDPR (General Data Protection Regulation) in replacement of the Data Protection regime which will be enforced in May 2018. The data that is gathered about us is more comprehensive and accurate than ever. The consequences of mishandling the data would be equally great. Here, GDPR will permanently change the way companies collect, store and use customer data.
GDPR introduces tougher fines for data breaches and non-compliance and gives consumers more say over what companies can do with their data.
To make Europe 'fit for the digital age', European Commission set out plans for data protection reform across the European Union in January 2012. Though GDPR is discussed globally as if it is an issue between EU and US, the Indian IT industry also has a huge stake since it works both for the US and EU clients and needs to provide a "GDPR Compliant Data Processing Service".
As GDPR is proposed as a "Global Regulation", no Indian Company would get EU business unless it is compliant with GDPR. GDPR applies to all businesses and organizations established in the EU regardless of whether the data processing takes place in EU or not. If a company tries to be compliant, it has to confront a tough penalty structure.
The penalty will be 10,000,000 Euros or 2% Global Turnover for offenses related to Child consent, transparency of information and communication, data processing, security, storage, breach, breach notification; and transfers related to appropriate safeguards and binding corporate rules.
And 20,000,000 Euros or 4% of Global Turnover, for offenses related to data processing, consent, data subject rights, non-compliance with DPR order, and transfer of data to the third party.
The definition of personal data has been expanded by EU. Name, photo, email address, bank details, location details, IP address, medical information, updates on social media sites – all are personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Under GDPR, people will have more control over their data and they will have-
Individuals can request access to their personal data and ask how their data is used by the company.
Consumers can withdraw their consent from a company to use their personal data and also have the right to have their data deleted.
Individuals can transfer their data from one service provider to another. And it must happen in a commonly used and machine-readable format.
Consumers must be informed before their data is being gathered by the company. And consumer consent is a must for that.
Individuals can have their data updated if it is incorrect or out of date.
Consumers can ask their data not to be used for processing. Data can be there for the record but not be used.
Consumers can stop their data from being processed for direct marketing. Companies must obey this as soon as they receive the request and this right must be made clear to the individuals at the very start of any communication.
In case of any data breach where individual's personal data is compromised, the respective person has the right to be informed within 72 hours.
The focus of GDPR is to ensure the business is safe and data processing is compliant. In short, there should be transparency while it comes to data processing. Customers should know what is going on with their data and ensure that it is used to create value for them primarily and not for the business. GDPR is giving more power to the consumers over their data and made it difficult for organizations that collect and use such data for monetary gain.
Companies must restructure their process of handling data to bring in the transparency. The data privacy policies must be revamped, and consumers must be informed about all their rights.
Yes, it's true that GDPR does create challenges but it also creates opportunity. Companies who show transparency in their data protection policy and able to value the privacy of its consumers build deeper trust and retain more loyal customers. GDPR is a big opportunity for Indian IT to invest in their automation portfolio as there are large automation opportunities especially in the data retention mechanisms and security ecosystems that will be needed to achieve GDPR compliance.
May 25 is just knocking at the door. Companies must dedicate their time to understand what they need to do in order to become compliant. Creating a plan of action beforehand will also help to stay ahead of others. As data has become a valuable currency in the world, it is believed that GDPR will strengthen data protection measures of companies and empower consumers if followed in the right spirit.