Do you meet the GDPR Compliance Requirements?

11 Mar, 2019

Technology

eBiz Solutions

GDPR Executive Summary:

What: Meant to protect the rights and freedoms of consumers, the General Data Protection Regulation (GDPR) is the primary law that regulates how companies protect EU citizens’ personal data. It came in effect on May 25th, 2018.
Who: The GDPR involves any company within in the EU, does business with in any EU country, participates in any targeted marketing in the EU, or collects personal data on anyone physically in the EU when the data is collected.
Some Key GDPR Compliance Requirements:

• Requires “freely given, specific, informed, and unambiguous” consent of subjects for data processing.
• Anonymizing collected data.
• Provide data breach notifications within 72 hours.
• Allowing customers to see and delete their data.
• Requires a data protection officer for certain companies. These companies are ones that process or store large amounts of personal data of EU citizens.

How does GDPR affect companies?

Even though the law was established by the EU parliament, GDPR’s scope well encompasses the US. 52% of US companies must comply with GDPR. Your company is subject to GDPR compliance if:

• Your company does business in the EU
• Your company does market research in the EU
• Participates in targeted marketing in the EU (explained below)

Article 3 of the GDPR states that if the company collects personal or behavioral data from someone in EU then the company is required to comply to GDPR. To explain the above point on target marketing, if a consumer in Poland finds an English-language based webpage that is targeted towards US and Canadian, then that Polish consumer is not protected by the GDPR if he decides to give his information to that site. Although, if the user in Poland were to find a site that was written in Polish was targeting EU users, then GDPR would protect him since that company would need to be GDPR compliant.

Industries most affected by the GDPR include: hospitality, travel, software services, e-commerce, and logistics. Becoming GDPR compliant is a massive and in many cases, an expensive undertaking that is necessary. According to Bloomberg (written prior to GDPR implementation), the world’s largest 500 companies could spend around $7.8 billion to become GDPR compliant. If a company is found non-compliant, they will be faced with fines, with the maximum being 20 million Euro or 22 million USD.

GDPR & IT

As seen above, a key requirement for GDPR compliance is Anonymizing data. This becomes a problem in IT practices such as testing and quality assurance. A survey, done by Vanson Bourne, with large company CIOs showed that “83 percent [respondents] use live customer data in test systems when testing applications, because they believe the use of live data ensures reliable testing and accurately represents their production environment”. This method of live customer data testing elevates the exposure of personal data and the risk of a data leak. This method can still be used but must be revised to include anonymizing techniques to be GDPR compliant.

The key to maintaining GDPR compliance is making sure you have proper systems set up to track and identify data. You need to be able to know where data is stored and what is it being used for.

eBiz & GDPR Compliance Checklist

From our mobile apps to customized software, we make sure all our solutions are GDPR compliant. Below is the checklist we use to make sure our mobile apps and websites are GDPR compliant.

• The application has a privacy statement.
• The application does not collect or process more data or for a longer duration than is strictly necessary for the intended purpose as communicated to the user.
• The end users has explicitly agreed with the processing of personal data. (Pre-ticked boxes are not permitted.)
• The application provides contact information on the controller that is easy to find.
• The application has a separate checkbox on the registration form for each particular processing activity.
• It is clear to the end user on what he/she gives permission for. This is explained transparently, concisely and understandably. Visual support is used where relevant. Especially when information is intended for a child.
• If applicable, it is stated that a child may only give permission if he/she is 16 years of age or older. Otherwise, the permission of a parent is needed. It should be reasonably demonstrated that a parent has given permission.
• If the application includes decision-making, it should be clear how that decision is taken. (Example)
• If the application includes programmatic advertisements it must be clearly authorised by the user.
• The application allows end users to view and adjust data that is actively shared (by the user).
• An appropriate assessment has been made when data is pseudonymized and this process is tuned. (Example)
• Appropriate technical and organizational measures are taken to ensure a level of security appropriate to the risk, including inter alia as appropriate:
  • the pseudonymisation and encryption of personal data.
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Bottomline:

The GDPR has been set up to protect the rights and freedom of consumers, and though it was established in the EU, it affects more than EU-based companies. Make sure your website, mobile app, software – really, any interactive digital medium – is GDPR compliant.