The EU is about to implement a data protection policy to ensure that the data of its citizen in the 28 EU member states are protected. And so come May 25,2018 the General Data Protection Regulation or GDPR, will go into force.
There is much talk about GDPR so much that May 25, 2018, is turning into judgment day for companies and businesses. And so there is a rush towards compliance before that date.
This is causing fear and panic as to what kinds of penalties will be inflicted if companies and businesses are found to be non-compliant. One article writes,
“Scary phrases like “fines upward of 20 million euros” and “4 percent of annual turnover” have been the number one argument for leveraging the awareness of personal data…...source
Fear is creating awareness and so companies and businesses share some kind of information on GDPR with their clients and subscribers.
The information comes in various forms to enlighten businesses about how to comply with the law before it is enforced by May 25, 2018.
Most information on the topic is confusing making it hard to understanding GDPR. So this blog will try to make GDPR much easier to understand by giving you a general knowledge of it. And so you will learn
a) What GDPR is
b) Why it was implemented
c) How it will operate
d) What it means to comply
e) Who should comply
d) Who is exempted
Before we discuss this topic, however, there are a few things to help you to understand the subject matter better.
Basically, GDPR focuses its attention on the collection of data by asking questions. Data in this sense is the personal or professional information of individuals, companies or businesses.
This data is collected and used. GDPR in its concern for data collection poses a fundamental question and that is,
Is data collected being used with the consent of the owner, limiting the use to what the user has consented to?
Practically all major institutions, companies and businesses have their own list of personal or professional data of subscribers, suppliers, customers, etc.
So how do they collect this data?
How is data being collected?
Companies and businesses and of course successful bloggers, through one form or another, collect the personal information of site visitors.
To do this they delight site visitors with interesting products and services to entice them to leave their personal information.
Here are some of the ways you the site visitor leave your personal information;
a) Through a subscription form you fill out on a website or blog to receive updates, freebies, etc.
b) By signing up on a website or blog to be able to purchase products.
c) Through paid upgrades that require the purchase of a premium package or similar offer.
d) Through the joining of programs like affiliate marketing programs, online courses, etc.
The information that websites/blogs collect, is given by site visitors on consent. And that means you the site visitor agrees to submit your personal data in exchange for the use of a website or blog’s services.
In simple terms, it means that to receive a website or blog’s newsletter, receive updates, make purchases, etc. you agree to release your email address,
your credit card information, your telephone number and sometimes even your physical home or office address, where required in the sign-up process.
This is part of the registration process companies and businesses use to collect customers and subscriber data. But while a massive amount of personal data is collected the question is
Why is that data being collected?
When business and company websites collect data they make it their responsibility to ensure the protection of that data.
“We collect information to provide better services to all of our users ”
To provide betters services to all users means companies and businesses must have a better understanding of how site visitors use their services.
This in large part means monitoring user activities to find out ways as Google puts it,
” to show you more relevant search results and ads, to help you connect with people or to make sharing with others quicker and easier…. and make those services even better.”
And so the whole idea of collecting your data is to have a better understanding of you the site visitor and your online behavior in order
to provide you with a much better and improved service.
As a site user, you know what data is being collected, such as your email address, login information, etc. But while you use a website’s service, additional data may be collected. This can be
a) Information about your device: such as the tablet, smartphone, the model of the computer you use, your network provider, operating system, the browser you use, etc.
b) Information about your location: Information may be collected using various technologies that determine the location or pinpoint your exact location. These could be IP address, your wi-fi connection, GPS, etc.
d) Information from Cookies: Once you visit a website or blog, a small file(cookie file) is sent to your computer. It tracks your activities on a given website,
stores that information so the next time you visit that website again, the cookie will allow that site to recognize your browser.
So with the knowledge of what data is being collected and why it is being collected, it’s time to understand why the GDPR law,
wants to protect private personal data of EU citizens. This brings us to the question of what GDPR is.
What is GDPR(General Data Protection Regulation)?
GDPR is simply a unified set of European community laws formulated to regulate and enhance the protection of the personal data of thousands of EU citizens. This is to ensure the rights of the EU citizen to have full control over
their personal information and decide how it will be used by companies and businesses. And so if you are an EU citizen, with the implementation of this law, you have a right to decide what personal information you want to share with companies and businesses.
Companies and businesses on their part must explain in “clear terms” how they are going to use this information and the intended purpose.
Why was it implemented?
The implementation of the GDPR law came into existence first because the legislation governing the protection and security of personal data was before now fragmented.
Each nation state had its own set of rules for the protection of personal data. This was fine up to a certain point. But,
“most legislation was not designed for a technological revolution and additional developments, like big data analysis.” [ 1 ]
If the protection of data was fine up to a point when that protection was extended to the online user,
“there were no guidelines with regard to what is permitted – and what is not. And so huge amounts of data was collected without properly informing the website user and asking them for permission.” [ 2 ]
Secondly, there was the need for a unified directive and so the EC 1995 Data Protection Directive had to be replaced as it was considered outdated. Change was necessary and
this meant putting in place new sets of regulations and guidelines to help in the conduct of data processing.
The new regulation would determine to what extent user data could be used with or without user consent as opposed to what happened in the past.
This necessity for a set of rules as guidelines for the use of personal data brought into existence GDPR.
How it will operate
Although it was approved by the European Parliament on April 14th, 2016, it’s enforcement will take effect on may 25,2018. By this date, it is believed companies and businesses collecting and using the personal data of EU citizens must have complied with the directive.
Once in operation, it will check for compliance through various operational roles such as
a) Data controller: This role refers to companies and businesses that collect the data. As you sign up for an offer leaving an email address and other personal information, this data is owned by the website or webmaster that collects that data.
b) Data processor: The role of the data processor is to manage data being collected. The data processor maintains and manages the data collected by the data collector. If you have ever noticed, in most cases when you sign up for an offer,
you are told in successive emails that the website does not store your information on its servers. This means while it collects your data,
it may store your data with a trusted third-party or a trusted third-party handles your data. These can be companies like Cloud and SaaS companies.
c) Data protection officer (DPO): The DPO is responsible for finding out non-compliance and this means it must ensure that all the rules in the GDPR regulations are followed. This DPO officer is a role designated by the data controller-companies and businesses and the data processor-third-parties managing data.
What it means to comply
If businesses and companies are to operate under the GDPR regulation then compliance means data controllers must put in an effective measure to ensure the protection of data such as classify data, perform risk assessments and ensure that
all partners are in compliance.The appointment of a Data Protection Officer(DPO) who will be responsible for ensuring compliance will also be necessary.
So who should comply?
In trying to comply with GDPR regulations, there is the question of who should comply and who shouldn’t. Practically anyone would tell you that if you run a business that processes the data of EU citizens, you should comply.
By this, you can quickly understand that those who must comply are those who have a connection to a “professional or commercial activity.”
And so compliance is necessary if you are running a commercial activity as when you
a) Have a business inside any of the EU member states.
b) Have a business outside the EU that offer goods and services to EU citizens.
In addition, small-to-medium-sized enterprises(SMEs) and major enterprises must comply to all parts of the GDPR rule.
Who is exempted?
GDPR makes exceptions and that means exemption to the rule exists. So who will be exempted from compliance?
a) Companies and businesses that have 250 or fewer employees, may be exempted from compliance.
b) Individuals processing data for personal use that is not connected to any professional or commercial activities (art.18)
c) Public authorities, like law enforcement to which data is disclosed to help them in their investigation efforts
d) Data of deceased persons
The protection of individual data is becoming a vital part of data protection security and means companies and businesses will be closely watched for irregularities and misconducts.
Of course GDPR compliance means those businesses who still want to use EU citizens’ data will have to take the necessary step to ensure they meet all the requirements.
Compliance is necessary but could have enormous costs that may or may not affect a company’s resources. There is still time until May 25th, 2018 and this means ensuring your business meets compliance before the deadline if it applies to you.
Was this post helpful? Please share and comment.