In keeping with this year’s Data Privacy Day theme, Respecting Privacy, Safeguarding Data and Enabling Trust, the General Data Protection Regulation (GDPR) takes center stage in reminding both organizations and individuals the importance of data privacy. Since all organizations come under the scope of the GDPR, small to medium businesses (SMBs), or companies with less than 250 employees and an annual turnover not exceeding EUR 50 million also need to fully understand the components and stipulations around their data protection practices.
The significance of data privacy is more relevant than ever with the fulfillment of the GDPR, requiring companies to give more serious thought into preparing for the budget, compliance, and other necessary adjustments. In fact, on January 10, the EU Commission published a package of documents including the European Data Economy, data protection, and e-privacy. The package incorporates new provisions and proposals that are purposely aligned with the GDPR. This denotes the increasing urgency for businesses to comply.
The GDPR applies to all organizations, regardless of location or size, where their processing activities are related to the offering of goods or services to individuals in the EU, or the monitoring of individuals' behavior takes place within the EU. SMBs, however, are allowed some exceptions such as maintaining a record of processed activities and EU Member States can determine if SMBs should designate a Data Protection Officer (DPO). While the GDPR will present serious implications on data governance, companies that can adapt quickly will be able to take advantage of the certainty of the protection of data transfers and collection.
Key individual rights that are poised to enhance digital privacy
While the core principles currently exist under the data protection law, the GDPR seeks to heighten the processing of personal data in a lawful, fair, and transparent manner in relation to the individual. This is meant to expand territorial scope, increase compliance, and broaden regulatory powers. Here are some significant individual rights under the GDPR that could impact your business and essentially provide your customers with better data privacy:
The right to information and transparency
The GDPR—which replaces the 1995 Data Protection Directive (95/46/EC) when it takes effect on May 2018—stresses that the individual's or your customer’s rights will allow them to have more control over their personal data. This means that it will apply to all social media and e-commerce sites as it precedes these modern digital platforms. Though the liability on SMBs is less because of the smaller risk they pose, they are still expected to maintain the simplicity and efficiency of their data processes.
If, for example, you own a small online retail shop and collect customer information, now is the best time to consider if the type of data you collect is necessary or relevant to run your business—because DPAs will check the purpose of the data you store.
What you can do: The way you handle your data must also be more transparent so your customer can fully and plainly understand what they are getting into, especially when it comes to areas where they can opt-in. If you need to retain your customer’s address as reference to current and future deliveries, let your customers know. Under this right, the GDPR will standardize some form of streamlined communication for both the organization and its customer. It can be less stressful on your end if you have the right systems and policies in place as this would lessen the burden of having to face fines or unforeseeable and damaging effects.
The right to be forgotten/Right to erasure
Being able to verify how your customer’s data is being handled isn’t enough. Your customer should stillbe able to retain their right to change their mind anytime, access or update their data, make changes, and delete their data from your records.
After a decision of the European Court of Justice of May 2014, Google began blocking search results in connection to searches in Europe upon the request of the affected person. The ruling emphasized that individuals have the right to request for the complete removal of their personal data under certain conditions where a company has no reason to withhold, store, and use their data since the information is no longer relevant and the right to be forgotten of the affected person prevails. The GDPR has made this right more effective by placing the burden of proof on the company where it has to show that the data cannot be deleted because its processing is necessary.
What you can do: For your business, this could mean that European rules should apply regardless of where your server is physically located, or whether you are a non-European business. If your company does not have a data protection expert, it is recommended that your data monitoring and auditing is done thoroughly with legal counsel in place. This will help you understand the likely exclusions, or even the constraints you would have to deal with when learning about the scope.
The right to data portability
A new addition to the rights, customers will have the right to request a standardized, digitally structured copy of their data from your company. Essentially, this allows your customer to be able to transfer their data to another provider without any hindrance on your end. Data portability underscores the importance of giving the individual more control over their personal data. It also aims to improve competition, as well as innovation among smaller businesses and uplift technological neutrality in data markets.
What you can do: To avoid costly risks, it is wise to manage your data in such as a way that data can be retrieved and shared in an interoperable format. Make sure that you have technical systems in place to assist processes required by requests.
All things considered, organizations must factor in the fines and implementation costs. Fortunately for SMBs, getting ready for the GDPR might not entail as much work as it would with bigger enterprises. However, SMBs should be complacent or take their time as the GDPR is fast approaching, and the best time to start your road to compliance is now.
Whether your business stores data in-house or in the cloud, the bottom line is that the privacy and security of collected data is maintained. According to Trend Micro CTO Raimund Genes, one of the ways to get a head start in adhering to the GDPR principle, even before complying, is to collect only what you need. To stress this point, Genes maintains that companies—especially those outside Europe where businesses store customer data for marketing purposes—will need to consider an overhaul in terms of redesigning their database.
Perhaps a good way to align with Data Privacy Day’s theme, “Respecting Privacy, Safeguarding Data and Enabling Trust,” is to incorporate two of GDPR’s key elements ‘privacy by design’ and ‘privacy by default’. When developing, designing, selecting and using applications, services and products that process personal data to fulfill their task, the right to data protection should always be taken into account. Doing this in turn would uplift and restore the essence of what some might consider an almost obsolete concept… privacy.
Trend Micro’sIntegrated Data Loss Prevention(DLP) protects data in endpoints, network servers, and the cloud, as well as the transfer of data between locations. DLP comes with a central policy management, so there’s no need to install separate technologies across multiple security layers.Network Security Custom Defenseprovides centralized data and policy management that gives IT administrators granular control and visibility to monitor, evaluate, and take appropriate action on unusual network activities based on their needs. For more insights on the impact of GDPR, readTrend Micro 2017 Security Predictions: The Next Tier.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).