General Data Protection Regulation (GDPR): Actionable Facts and Steps to Follow

By the end of 2015, the European Commission agreed on a new General Data Protection Regulation (GDPR). A growing tendency to implement and develop a customer-centric approach requires reassessing outdated privacy laws; new legislation is an answer to this issue. GDPR will have significant impact on all businesses dealing with customers within the European Union. How can you prepare your company to make sure it complies with stricter data-privacy regulations?

New legislation will replace the European Data Protection Directive (95/46EC) from 1995. The idea of GDPR is to provide individuals with full control over their sensitive personal data and boost Europe’s digital economy. It is also supposed to assess whether US companies take adequate protection in data-transferring processes, as Safe Harbor “self-certification” was not enough to prove their credibility and to comply with European data-protection regulations. GDPR will come into force within two years.

Who is affected by the new ruling?

GDPR will impact both data controllers (eg. a company) and data processors (eg. cloud-software vendor). It was created to act in the interest of data subjects (eg. your customers or website visitors). New regulations concern not only European companies working with personal data, but also every other company outside the EU wanting to offer its services to clients located in Europe. Their privacy policy must be predicated on new terms submitted by the European Commission.

Core points of GDPR:

1. Data-driven consent

   An individual must be provided with accurate information on all relevant issues, such as the kind of data to be collected or processed, and for what purpose. ”Explicit” consent is needed in case of processing particularly sensitive data, such as political opinion, religion, ethnic origin, biometric data (even photographs), sexual orientation, or data concerning health.

2. “Right to be forgotten”

   All subjects have the right to have their retained data removed from a database upon demand.

3. Penalties

   Suffering a new law breach may incur fines up to 20 million EUR or 4% of turnover.

4. Breach notifications

   The data controller must inform data subjects within 72 hours in the case of any data breach or hackings.

5. Parental consent

   Companies cannot collect data from children under 16 without verifiable parental consent. While the international standard is 13, GDPR rose this age to 16 to protect personal data with the possibility of lowering the age limit not below 13 years.

6. Compliance of all subjects

   All vendors who deliver cloud service to businesses in the EU or process data in any other way must meet the requirements of the new ruling.

7. Data protection officer

   If a company manages a great amount of sensitive data, it will be obliged to appoint a data protection officer.

8. Two years to get ready

   GDPR comes into force by spring of 2018, so businesses are supposed to use this transitional period to apply its provisions.

9. Comprehensible policy

   A request for user’s consent for data processing must be performed in an easy, accessible form and written in clear and plain language.

Is the world ready for the new agreement?

The recently published study on Corporate Readiness to Remove Customer Data by the Blancco Technology Group presents results of a survey of 511 IT professionals who were asked to assess their corporate level of preparation for the new regulations. The study included participants from countries such as the US, Australia, Malaysia, Germany, the UK, Canada, Mexico, and Singapore. Here’s a quick look at the results.

IT professionals from companies around the world were asked about awareness of upcoming changes, as well as undertaken actions towards compliance. 59% of all surveyed declared their awareness of the European GDPR as high. On the other hand, 28% admitted to having little knowledge on the subject or no knowledge at all.

60% of IT professionals claimed to be fully prepared (23%) or on the right track (37%) to comply with new legislation. The remaining 40% of participants admitted to being less prepared, with 9% expressing the feeling of not being prepared at all, or lacking knowledge on how to start.

This should be a warning sign for you, if you are not completely sure that your current data-management practices are in line with new regulations. Remember that violations of the new law may result in significant penalties, as mentioned. Better safe than sorry, so it’s time to reassess your company’s data practices.

How to proceed

Two years until the regulations come into force may seem like a lot of time. However, adjusting your workflow and stack so they are privacy-compliant may be a longer process than initially expected. Don’t put preparations off, as any ambiguities may cause additional delay. Remember that it is not only about fines, but also your company’s reputation and your customers’ trust.

Some organizations may have to completely reassess their data-security policy. Those working with sensitive data on a daily basis will probably need to adjust current practices just a bit. If you are not sure at all where to start, here is some advice:

• Conduct an internal audit
• Create written documentation
• Remove data security
• Provide proof of data removal
• Deliver customer communications
• Incorporate mobile-device management
• Collect data responsibly
• Drive cross-department collaboration
• Implement education and training
• Appoint a data-protection officer
• Monitor risk management
• Develop an incidents response plan

For more details, read the Blancco Technology Group Report.

Piwik vs. GDPR

Web analytics is one of the most essential tools for business these days. That’s why your tracking platform usually contains a lot of sensitive information on your clients and employees. You definitely want to avoid any data leaks, or fines you may face in case of any violations. Luckily, with tools such as Piwik you can remain in control of your and your visitors’ data.

Piwik’s approach to security and ownership of data has been acclaimed by leading data-privacy organizations such as the French CNIL and German ULD. Here is a shortlist of Piwik’s features standing for your data security, which make it a reliable, enterprise-level tool:

• 100% data ownership
• Cookie consent not obligatory
• Automatically anonymize visitor ID
• Respecting “DoNotTrack” preferences
• Piwik opt-out
• Premium security Piwik PRO features
• Privacy-compliance advice and support

With the upcoming changes regarding the General Data Protection Regulations, public approach to privacy is definitely going to change. It’s time to act now! If you’re not sure where to start optimizing your analytics for privacy compliance, there is no need to throw your hands up in despair. Piwik PRO experts are here to help you through.

Contact us for a free consultation on making your analytics platform ready for the new law.