While GDPR is the trending topic on the Internet, not many of us actually know what it actually means. Let us help you understand GDPR a bit better and why you need to change your policies according to it.
What Is GDPR?
It is known as “General Data Protection Regulation” that was approved on April 2016 and is going to be in effect from today onward – 25 May 2018. It (2016/679) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It focuses on the export of personal data outside the European Union.
The goal of this regulation is to provide consumers the control of their personal data that is collected by the companies. It is applicable for all businesses that are working with EU companies and include clients or consumers from EU.
Key Policies To Keep In Mind
Consent: The focus of GDPR is on consent. The companies that use vague and confusing statement to get consent for gathering consumer personal data – would not be able to do so anymore.
For example, if you have a webpage on your website that asks users to give consent by clicking on a single link and doesn’t clarify to all the things the user is consenting to – that will land you in trouble. As per GDPR, users should be able to consent to each information individually. Bundled consent is out!
Secondly, users should be able to withdraw their consent whenever they want. The process of withdrawal should be easy and provided by the firm.
For minors (under 16), there has to be an adult who holds “parental responsibility” – only they can opt-in for data collection on the minor’s behalf.
Breach Notification: There is another key policy under GDPR that makes it mandatory for companies to notify their DPO or data protection authority about a data breach within 72 hours of occurrence. The data protection authority, the controller or the processor needs to notify consumers about the breach “without undue delay”.
User control: The consumers will have more control about their personal data. Consumers can access their personal data used by the companies and will have complete transparency about where their information is being used and for what purpose.
Consumers/users has the right to be forgotten – which means they can ask the controller to erase their information and potentially stop the access of their personal data by any third party. Users can also transfer their data to a different service provider.
Consequences Of Breaching GDPR Laws
If a company or enterprise is found breaking GDPR laws, they could be fined up to 4% of their annual turnover or have to pay 20 million euros ($24.6 million), whichever is larger.
Is GDPR Compliance Essential For US Based Companies?
Yes! The United States government is going to fully cooperate to enforce the privacy laws legislated by the EU. Any business registered or operating from the United States, in business with EU companies, or has EU audience, users or consumers, have to comply with GDPR laws. GDPR non-compliance will subject them to lawsuit and hefty fines. It could be 4% of their annual revenue or €20 million, whichever is higher.
Unless you can restrict an EU resident to visit your website or bar them from using your web portal or mobile app, it will be wise to comply.
Steps You Need To Take For GDPR Compliance
Start off with your Privacy Policy:
- The company privacy policy needs to easily accessible and displayed on your website/app.
- Users need to be updated about recent policy changes.
- Avoid using legalese in your language – The privacy policy should be easy to understand and clearly laid out with detailed points.
- Name your business correctly, share phone number, email and physical address. Mention whether your business is owned or controlled by another company.
- Inform users about the various physical locations where your business is operational.
Should Indian (Outsourcing) Companies Adhere To GDPR Laws?
Technically, GDPR is considered as a borderless and sector neutral law. Article 3 of the GDPR – “Territorial scope” – makes it clear. Whether your organization is processing the personal data of EU data subjects inside the union or outside – the law applies to all. So the answer is a resounding YES!
India’s Growing Partnership With EU
If we go by the stats shared by the European Commission – EU is India’s topmost trading partner: 13.5% of India’s overall trade recorded in 2015-16. The trade in services was about €28.1 billion as recorded in 2015-16 and the relationship is growing.
India although has its own data privacy law, governed by the Information Technology Act, 2000, Reasonable Security Practices and Procedures, and Sensitive Personal Data or Information, 2011. GDPR will bring some new insights for Indian consumer privacy as it is still not up to a desired level. However, a recent ruling by the Supreme Court of India on 24 August, 2017, regarding “RIGHT TO PRIVACY,” and many new upcoming policies give an indication towards a shift toward strengthening and securing the privacy of Indian citizens.
With the implementation of GDPR and similar upcoming regulations in India, companies need to monitor their operating environment and they should be cognizant to identify a breach and notify the authorities.
Minimum Requirements For GDPR Compliance
1. Update Privacy Policy
To make sure that your business is GDPR compliant, you need to do an internal analysis on the customer information you currently store. If a customer reports an issue with your privacy policy, you would be asked these following questions by the ICO “Information Commissioner’s Office”:
- What data you collect from your users or customers?
- Your reason behind collection of the data?
- How did you collect the data?
- Did you get consent from your users?
- Till when you are going to keep the data?
- Is the data secure in your possession?
- Do you share the data with third parties and the reason behind it?
You should have answers to the above questions and mention them in your Privacy policy/terms and conditions as clearly as possible.
2. User Rights and Access
As per GDPR – user rights are explicitly highlighted. Your consumers/users have the right to:
- Access, view, and edit their own information.
- Erase their data from the records by sending an official request. You are bound to erase their data unless you have a legal reason to keep their information.
- Refuse/object to direct marketing messages and ads.
You need to provide your website or app consumers – a way to access, view and edit their personal data. They should be able to easily get in touch with you to request erasure of their personal data – free of charge.
Once you have the system ready – you need to update your Privacy Policy as well with a section on:
- Information regarding user’s rights regarding their own personal data
- Steps and process to access their personal information, view it and edit it
- Till when you are going to store their data and why you need it
- Instructions on how to unsubscribe from marketing messages/emails and/or any targeted advertising from your business.
3. Legal Basis for Processing Data
You need to show a “Legal Basis” to process the personal data of an individual. If you don’t have a legal cause, it will be considered unlawful by the ICO.
User consent is the most common basis that you must cover. Getting express consent from your users and a document to prove the consent – lets you off the hook. Here are two examples of doing it:
OR
4. User Consent
This is one of the most imperative update under GDPR – as per which, user consent of personal data collection must be “freely given, specific, informed, and unambiguous.” This includes the collection of anonymous data through the use of cookies.
In simpler words, you must get active user consent before even collecting their IP address.
The passive methods of gaining consent will no longer be considered valid. For example: browsewrap — that uses terminology such as “by continuing to use our site you automatically agree to our use of cookies” are not going to be considered valid.
Here is an example for active consent agreement that some websites are using –
A floating dialogue box like above will help users know why you are collecting their data via cookies. You can include a link to your Privacy/Cookies Policy, and let them confirm the agreement by clicking on a checkbox.
5. Transparency and Accountability
Any updates to your privacy policy needs to be communicated to your users. If there is a data breach:
- It must be detected and reported to authorities within 72 hours.
- If due to the data breach, the user security is at risk, they need to be informed within 72 hours as well.
If the data breaches are found occurred due to security negligence at the organization’s part then the company is subject to fines and penalties.
6. Staff and Data Management
All your staff members need to be educated about the new privacy changes under GDPR. Any staff member with access to client/user personal information must be made aware of the following points:
- Laws on handling personal information
- Latest Privacy Policy of the company
- Secure ways to process, record, and maintain personal data of the users
Internal data protection policies needs to be applied such as staff training, process audits, and review of HR policies.
7. Final Checks
The last two statutes required by the GDPR may or may not apply to your business. Click on the points to learn more about them –
We have recently updated our Privacy Policy to make it GDPR complaint and we suggest you to read it for better understanding.
