What You Need to Know About the General Data Protection Regulation (GDPR)
The economy is becoming increasingly reliant on the processing and control of data due to its continuing globalization and digitization. It accompanies a growing concern and awareness by the public for the importance of personal data protection despite the enormous opportunities it presents to businesses.
Recently, a global survey held by KPMG International has shown that more than half of consumers said they have avoided online purchases because of privacy concerns. Less than 10 percent of the respondents felt that they currently have no control over the way organizations use and handle their personal data, according to the same survey.
The General Data Protection Regulation, or GDPR, is the European Union’s response to this growing concern. The regulation is imposing a cost to the collection, storage, and usage of data by holding organizations responsible for its protection and forcing them to return ownership and concern to the individual because it acknowledges the value of such data.
GDPR is a single regulation to unify, strengthen, and enforce personal data protection across the EU which is in contrast to the existing data protection directive 95/46/EC which has been translated into individual national laws.
What is GDPR?
The General Data Protection Regulation is a response to the massively increased role that technology now plays in everyday life. GDPR was ratified by the member states in April 2016 and will go into effect on May 25, 2018. It applies to any organization wherever they are located if they are collecting the personal data of EU residents despite the fact that it is an EU regulation.
The objective of this new regulation is to make sure that adequate data protection is incorporated into the process of collecting personal data “by default and by design”. This begins with collecting only the least amount of data needed for a specific purpose and is erased when the data is no longer needed.
Another important detail about the GDPR is that the data source, the subject of the personal data, is the owner of their personal data. The data must be able to withdraw their consent to data collection as easily as it was to give permission to the data collection. The data subject also has the “Right To Be Forgotten”, or RTBF, and to take their personal data with them.
Who is affected?
GDPR applies to any organization, in any country, that collects, stores, or processes the personal data of EU residents. This can be data from employees, customers, or business partners or prospects.
Both have an increase in obligation under GDPR and could both face penalties should a breach take place.
What does this imply for global businesses?
The implications are both far-reaching and significant for most organizations. It will necessitate change that encompasses data processing workflows, business processes, organizational structure, and most importantly, information and security technologies.
Is Qeryz Ready for GDPR Implementation?
As a digital marketing tool, Qeryz functions by gathering information from users which will then be used as a basis to make necessary adjustments to the business. That said, the company aids in helping websites gain more viewers and subscribers, but without compromising the security of the information provided by the users.
Individual Rights
The GDPR at its core defines the rights of the individual as they relate to the protection of data.
Qeryz is aware that many people online are hesitant to provide information out of fear that it will be exploited. This is precisely the concern that the GDPR aims to address, which Qeryz strictly complies to.
Below are the rights, broadly summarized:
Informed Consent
The right to be informed clearly why the data is needed and how it will be used. Consent must be granted explicitly and should be able to be withdrawn at any time.
Access
The right to access all the data collected, free of charge, and to obtain confirmation of how it is being processed.
Correction
The right to correct the data if any of it is inaccurate.
Erasure and the Right To Be Forgotten (RTBF)
The right to request erasure of one’s data.
Data Portability
The right to retrieve and reuse personal data, for your own use, across different services.
Therefore, the first challenge towards GDPR compliance is to audit and modify, if necessary, the way an organization collects, stores, and processes personal information in accordance with these rights.
Simply getting to a point where an organization can precisely find all instances of the personal data of an individual across the entire infrastructure will be a major hurdle of this challenge.
This can also present an opportunity for some organizations to streamline their operations, eradicate any unnecessary collection of data, and limiting analyzing and processing to only that which is essential to the core of the business goals.
With all of the guidelines and requirements provided by the GDPR, full compliance to it is a significant undertaking. Qeryz values the privacy and security of user information above anything else and strictly observes the standards set by the GDPR.
Governance and Accountability
The organization then needs to be able to show compliance with appropriate measures of governance including detailed documentation, logging, and risk assessment. There is also an added expectation here for organizations of ‘data protection by design and by default’, which means that security should be an important part of all systems as much as possible. It should be integrated from the beginning instead of something that is applied in retrospect.
Clearly, this presents an enormous challenge especially when legacy systems are already in place. These cases highlight the integral role of network level security as the first defensive layer. This is because until a large number of legacy systems that are still in use in some organizations are redesigned with data protection measures already included, a network level security may be their only defense against a data breach.
The regulation about the exact technology measures needed to comply is also vague here due to necessity because of the rapid pace of change in technology. As the speed of development of such technologies like the internet, mobile devices, applications, and the digital economy increases, so does the rate of evolution of cyber threats that will continue to exploit these changes.
The GDPR uses terms such as “appropriate” and “state-of-the-art”, aside from the most obvious precautions of data encryption, pseudonymization, etc. to show the requirement for continuous risk assessment and the updating of compliance measures.
Security technology and data protection practices that are considered compliant today may need to be changed to remain compliant in the future as new vulnerabilities are discovered. Organizations will nevertheless need mechanisms to make sure their efforts keep pace with the latest changes in threats and technology despite the fact that it leaves room for legal challenges over interpretation.
Notification of Breach
GDPR also introduces a new obligation for organizations to notify the relevant authorities in the event of any breach of personal data that is likely to result in a risk to “the rights and freedoms of individuals”. The notification must also be extended to the affected data subjects if that risk is determined to be high.
The notifications must be made ‘without undue delay’ and where feasible, within 72 hours of the discovery of the event.
The transition to compliance must start with making sure that the underlying network is protected sufficiently across all possible angles of attack even in the absence of any explicit reference to network security technologies and specific data protection.
What Happens Now?
The General Data Protection Regulation numbered Regulation 2016/679, entered into force on May 25, 2016, and will apply on May 25, 2018.
Once the GDPR is in effect, the current Data Protection Directive 95/46/EC in effect will be repealed. Member States are busy considering the impact on national data protection legislation as companies begin the process of moving to compliance with the new requirements.
National laws will need to be amended in order to regulate a few aspects even though the GDPR will have a direct effect on all the Member States. Such aspects include the position of the DPA, regulations by sector, implementation of additional requirements where discretion is given by the GDPR or transitional rules.
The first draft of the national laws with necessary changes in legislation has already been published in countries such as Germany, Poland, and the Netherlands.
Many organizations are now considering the answers to questions such as:
- What are the new obligations under the GDPR and which of these will apply to their organization?
- What gaps exist between their existing state of compliance with the standards required under the GDPR?
- What changes should companies make to achieve compliance with the GDPR; how long will it take; with what order of priority; and at what cost?
The level of risk associated with the GDPR has finally catapulted data protection into the boardroom, which means many companies should now be considering the protection of data their number one priority. Qeryz has already adapted to this, having already placed utmost importance to safeguarding the data provided by its users.
What are the Things You Should Do to Prepare?
For those who have websites or are using websites affected by the GDPR, here are a couple of things you might want to take note of.
Be Ready for Security Breaches
Put into place well-practiced procedures and clear policies to make sure that you can quickly react to any data breach and notify in time if you are required.
Establish an Accountability Framework
If required, you should appoint a data protection officer. Make sure that you have clear policies in place so that you can prove you meet the required standards. Establish a culture of monitoring, reviewing, and assessing your procedures for processing data. Aim to minimize data processing and retention of data, and build in safeguards.
Check your staff if they are trained and that they understand their obligations. You will also probably need to conduct auditable privacy impact assessments of review any processing activities which could be considered risky, and take steps to address specific concerns.
Ensure Privacy by Design
Be sure that privacy is embedded into any new product or processing that is deployed. In order to enable a systematic validation and a structured assessment, privacy by design should be thought about early in the process.
Implementing privacy by design can both create a competitive advantage and demonstrate compliance.
Determine the Legal Basis on Which You Use Personal Data
Consider what data you collect and the processing you undertake. For example, do you rely on the consent of the data subject, or can you show that you have a legitimate interest in processing the data that is not overridden by the interests of the data subject?
Most companies often assume that in order to process their data, they would have to obtain the consent of the data subjects. Consent, however, is just one of many different ways of making a processing activity legitimate. It might not be the best way since consent can easily be withdrawn.
Review whether your forms and documents of consent are adequate if you do rely on obtaining it. Check that consents are freely given, specific, and informed because you will have to bear the burden of proof.
Revisit Your Privacy Notes and Policies
You are required by the GDPR that the information provided should be in plain and clear language. Your policies should be easily accessible and transparent.
Keep in Mind the Rights of Data Subjects
You should be prepared for data subjects to exercise their rights under the GDPR such as the right to erasure and the right to data portability. Consider the legitimate grounds for retention if you store personal data because it falls to you to prove that your legitimate grounds override the interests of the data subjects.
You should also expect to face individuals who have unrealistic expectations of their rights.
Consider If You Have New Obligations as a Processor If You Are a Supplier to Others
The GDPR imposes on processors some direct obligations that you will need to understand and build into your procedures, policies, and contracts. You are also very likely to find out that your customers will want to ensure that your services are compatible with the enhanced requirements of the regulation.
Consider if your documents and contracts are adequate and check who bears the cost of making changes to the services as a result of the changes in regulations or laws for existing contracts.
International Data Transfers
It will be important to make sure that your basis for transferring personal data to jurisdictions that are not required to have adequate data protection regulation is legitimate when it comes to any international data transfers, including intra-group transfers.
Although this is not a new concern, failure to comply might land you with a fine of up to the greater of 20 million euros and 4 percent of annual worldwide turnover. The consequences of non-compliance could be severe, so you may want to consider adopting binding corporate rules to facilitate intra-group transfers of data.
Qeryz’s Compliance to the GDPR
The privacy of the users’ information is something Qeryz, a website survey tool, takes extremely seriously. Qeryz makes sure that it adheres to every single guideline established by the GDPR such as confirming the user’s consent for website activity tracking and anonymizing the data collected from the users to protect their privacies.
If you have already availed the services of Qeryz, then there’s nothing you need to worry about. You can rest assured that Qeryz closely follows the guidelines provided by the GDPR and that the data you had provided is safe and secure—and that, more importantly, it is still your data.