How New GDPR Rules Will Affect Your Online Business

What is GDPR

Security and privacy is a hot topic. We can't really call it a "trend", because it isn't a temporary thing. Even if you work with the most secure system, the next day you can read news about someone leaked somebody's private photos. Recently that happened to many celebrities. Private photos is a thing you can get away with. Add a bit of humour and it won't hurt that much. What really hurts is when someone steals your bank account, passwords and other important info.

What is GDPR?

General Data Protection Regulation (GDPR) is a regulation that protects personal data in Europe that comes into effect on 25 May 2018 and replaces the data protection directive of 1995. Personal data obviously includes an individual's name, phone number and address. The new EU Data Protection Regulation adds to the list a whole range of digital information, including GPS locations, habits and usernames. Moreover, anyone who processes or has access to this data is responsible for its protection.

Let's see how these changes can affect your business.

New data protection rules

To make a long story short, here are the key GDPR requirements:

  • Users can request erasure of their personal data.
  • Businesses must attain consent from individuals for collecting and processing their data.
  • In case of a data breach, the regulator and users must be informed within 72 hours.
  • Focusing on data protection from the onset of the project and throughout its life cycle.
  • Large enterprises have to employ a data protection officer.

If your business doesn't follow these regulations, it will cost you a fine of up to 4% of annual turnover. The EU GDPR also requires providing proofs that your business observes all new rules. Besides, you have to provide documentation of the changes made and of all the necessary steps taken to protect user data.

Let's overview each GDPR regulation.

Right to be forgotten

Here is the direct statement from the General Data Protection Regulation:

"a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purpose for which they are collected or otherwise processed".

This means that if the user wants to have his data deleted, you have to erase all information related to him from all servers, backup systems and even notes you did with a pencil on paper. No half-delete or 90% delete. Also, this feature must be obvious in the design of your application or website. It doesn't have to be hidden somewhere in menu. It has to be clear even for a child.

Explicit consent

Under the GDPR, users have the right to be informed about how their data is being processed and what for. Your app or website is required to ask for user's consent on gathering his data. You also have to explain in clear and plain language what type of data you are collecting, why and what you are going to do with it. You have explain how it will be used, how you will keep it safe, for how long it will be stored and so on.

It will be enough to update terms of service or privacy policy and you are good to go. And remember: it has to be written in language so simple that even kids would understand.

Right to be notified

If you encounter a data leak, you have to notify users and the authorities within 72 hours. Nobody wants situations like Uber data breach in 2016. GDPR tries to prevent it.

To achieve GDPR compliance, you may need to increase security and surveillance on your data. You also have to prepare a "plan B" for emergency situations.

Privacy first

This means that when you are creating a new application or a website, you have to put privacy and security in the first place. And this approach has to go throughout the entire app lifecycle. No "Big Brother" games, no spying or getting info for commercial needs.

Data protection officer

Another GDPR requirement is to hire an in-house or outsourced data protection officer who will help to follow new regulations. This person should be qualified in data security, should be able to control the process and communicate with the data protection authorities. However, this is necessary only for enterprises with more than 250 employees.

Summary

Security and privacy is a big deal and these regulations are necessary. You can find a detailed GDPR documentation here. If you need to implement any of these features in your app or website, feel free to contact us at any time.

As always, thanks for reading and keep visiting our blog for more IT-related topics.

Get in Touch