It is hard to keep up to date on changing laws and legislation and, often, we are unaware of how the protection of our rights has changed. In the world of data protection, change is afoot with the introduction of the EU GDPR – the EU General Data Protection Regulation. This is a legal framework that will sweep away the existing patchwork of current regimes that is in place across all the EU member states.
First proposed by the European Commission back in 2012, it aims to boost online privacy rights and strengthen the digital economy of the EU.
The new regulation applies to any business, regardless of whether they are based in the EU or not. If you process the data of an EU citizen, you will be governed by the laws that the GDPR sets out. Businesses ranging from start-ups in Amsterdam and Berlin, right up to the multinational powerhouses like Facebook and Google, will all be affected by GDPR.
The GDPR is already law but in about 16 months businesses who fail to comply can face fines of 2% to 4% of their worldwide revenue.
Fear not – there is still plenty of time for you to get your business ready and avoid such fines. So what do you need to do to meet the requirements set out by EU GDPR? Here are a few things you can start doing straight away to help make the transition seamless.
With regard to PlanetVerify, terms and conditions can be included in each request that is sent out to each individual client. The terms and conditions must be accepted before they can begin using the service provided by PlanetVerify.
IMPLEMENT CONTROLS FOR TRACKING AND MANAGING DATA
Storing someone’s documents without an approval is no longer legal. GDPR gives consumers the right to ask companies holding their data to erase it upon request. It also gives them the right to ask for a copy of their digital data so they can transfer it to someone else if they desire to do so. PlanetVerify allows a business the option to provide their clients with a one-click facility to request that any of their data collected through the app and held by the business be deleted. In turn, businesses can easily delete client data in one-click. It will furthermore notify the client when and if the deletion request has been processed.
Every single time IT managers receive someone’s data they should be asking themselves:
- Can we track a customer’s personal data as it travels through our systems?
- Are we able to erase it if they ask us to do so?
- Are we able to provide them tools so they would be able to do this without our assistance?
- These capabilities will be required under GDPR.
ENABLE AN OPT-IN REQUIREMENT FOR DATA SHARING
Most of the big U.S. multinationals use an opt-out policy when sharing and collecting consumer data. The opt-out model requires consumers to specifically ask data collectors not to share their data with any third parties. Otherwise, your consent is assumed by default!
GDPR will require organisations to do the exact opposite; offer an opt-in policy. The consent must be freely given if you do not want to have your data shared with third parties – just offering an opt-out option will no longer be acceptable.
Clients could be made aware of this in the terms and conditions that they receive along with the data request from the business.
PROTECT THE DATA YOU SHARE
Most of the time, both employees and clients send all the documents via email. Companies guarantee encryption of all information sent via their servers, but what they fail to consider are the multiple other devices on which information can be digitally viewed; what about the mobile phones and the tablets of today? These are not protected in the same way. The solution is to share your data through encrypted apps. PlanetVerify sends all documents through its own secure channels and stores it encrypted in one place.
PREPARE FOR NEW DATA BREACH REPORTING REQUIREMENTS
Under GDPR, companies are required to inform consumers about data breaches impacting their personal information. In the case of a data breach, it is important to note, the non-compliance fine isn’t issued because of the breach, but because of the failure to properly report it within the designated timeframe.
Data breach is an ongoing threat. With PlanetVerify, the likelihood of a breach is diminished by the existence of the “2-factor authentication”, meaning that even if a fraudster manages to hack a password, they will be prevented from logging on as they will also be asked for a code which only exists on the user’s device. This eliminates the risk of remote hacking which is how most fraudsters operate.
If a breach does occur, companies will be required, by GDPR law, to inform consumers about any data breaches which impact their personal information and so it is imperative that businesses limit this risk. Fines will be incurred if reports of data breach are not properly made.
The key to preparing for this requirement is to know what data you have and what legislation covers that data. Get to know the threats against your organisation and offer your consumers the confidence you have in your ability to defend against these threats.
In this digital world, information is abundant and fast-moving. Those who share personal data need to know that it will be protected and used correctly. Ensure that your business builds that trust by being informed and pro-active. Use this blog post as your starting point – these are the things you can start doing now to meet the requirements set out by GDPR and to avoid any potential fines.
Want to keep up date with EU GDPR and data protection? Follow us on twitter.
Would you like this to become a series? If you would like to follow a blog series breaking down the legislation under the EU GDPR as it is enforced and help to keep you and your business informed, please let us know by sending an email to info (at) planetverify.com