Getting to grips with the GDPR
Spammers have had serious competition these past few weeks. Almost all websites and organisations have been busy sending out one of those ‘we are updating our privacy rules’ emails. It’s second nature to ignore these mails, but we should really pay attention to this one.
The General Data Protection Regulation (GDPR) is a new regulation that hopes to establish one single set of rules across the EU to ensure the personal data of its citizens are protected and not abused. This concerns you even if your business isn’t in the EU. Just by collecting data concerning an EU resident, organisations outside the EU will be subject to this regulation
Here's a quick summary.
Consent
Terms and conditions must be simple and easy to read. It must also be as easy for a user to withdraw consent as it was giving it.
Right to access
Customers or data subjects have the right to obtain information as to what data you have on them, whether it’s being processed and how.
They also have the right to request for an electronic copy of their personal data.
Breach notification
If you suffer a data breach at any time, you are required to notify your customers of any risk within 72 hours.
Right to be forgotten
Customers can at any time ask for their personal data to be erased. Note that there’s a downstream responsibility here to ensure that you also notify any other person/organisation you have shared the data with to also erase it.
As part of your terms and conditions you should clearly state how long their data will be retained on collection.
Data portability
Customers and individuals have the right to obtain their personal data (in a common format yet to be defined) for their own purposes or to transfer to a different service provider.
Privacy by design
You have the responsibility to include and implement technical measures to keep data secure and compliant with the GDPR rules.
Employ a data protection officer
Organisations with more than 250 employees must employ qualified data protections officers.
This is just a quick summary of the GDPR. You can read the full text here to ensure your organisation is adequately prepared. You might also be interested to see how other organisation are implementing these regulations. Read Slack’s plan for GDPR compliance here.