You've probably received emails (from us and other businesses) about the impending GDPR. It's been talked about for a long time and there are all sorts of articles and businesses trying to understand and comply with upcoming regulations. In this post, we'll provide a basic explanation of GDPR regulations and what they mean for you.
What is GDPR?
General Data Protection Regulation, or GDPR, is a regulation that will be formally implemented on May 25, 2018. It affects the way personal and sensitive data can be collected, used, and stored. Basically, most people's data is collected by various companies (like social media or online shopping apps) for various purposes (for example, Amazon needs your physical address to deliver packages). Some data is meant to identify you, like your last name or your IP address. Some data is more sensitive (like medical history or religious preferences).
GDPR aims to do a few things. One of those things is to allow consumers to have easier access to their data; for example, Facebook lets you download the data they have about you. Another important thing is consent; GDPR will make it so that organisations have to obtain the consent of consumers to collect information about them. For example, if an app wants to access your contacts, they can't just scrape them; they would have to ask you if the app can go through them (like to add connections on LinkedIn).
Another concern is data breaches. Under GDPR, companies have to report data breaches in a country to the governing body in charge of data regulation (in the UK, it's the Information Commissioner's Office, or ICO), and they have a deadline to do so. The governing body can then decide if the people whose data was breached should be informed about the breach.
To help prevent data breaches, GDPR mandates that the data should be encrypted and there should be pseudonymisation if possible. That means that even if the data is breached, ideally, the hacker wouldn't just see an Excel file with “John Doe, Account Number 1234, Password is Password” (that would be stored in plain text). Pseudonymisation means that instead of “Jane Smith”, there would be some replacement identifier. The company would know a series of number or letters mean Jane Smith, but to someone outside the company, it would look like useless gibberish.
According to Wired UK, “For companies that have more than 250 employees, there's a need to have documentation of why people's information is being collected and processed, descriptions of the information that's held, how long it's being kept for and descriptions of technical security measures in place.” So if a company wants to access the camera roll on your phone, they have to explain why they do, what kind of pictures they keep, etc.
Organisations that collect and use large amounts of personal and sensitive data will have to hire a person that will monitor the company's compliance with GDPR.
GDPR also allows businesses to be fined for non-compliance.
How does it affect you?
If you own a business, you will have to get ready for GDPR compliance. Even if you're company is not physically located in the EU, if your company handles the data of EU citizens you must comply.
As a consumer, GDPR means you should be able to have more transparency as far as what kind of data is collected about you, and why. It also means that will get a lot of emails and notifications asking you for your informed consent when your data is being collected. It should also help reduce the information collected by companies if they don't need it, and the data collected during breaches. If a company can't have access to your data without telling you, it's likely they will not be able to gather as much if consumers don't see the need for it. This could help reduce the impact of data breaches, since companies would have access to less information.
Consumers gain the Right to Erasure (also called Right to Be Forgotten), which means they can request that their personal data be deleted for various reasons. This also builds into informed consent, as users should be able to withdraw their consent for data to be collected if they decide to do so. For example, you let an app access your location. Later, you learn they track your location even when you don't use the app. Under GDPR, you should be able to remove their right to track your location because you dislike the way they use it.
You should be able to see and control the data collected about you by various businesses. Privacy notices should be easier to understand, as will the forms asking you to collect your data.
How does it affect Adam Equipment?
In addition to reviewing the data we collect and making sure it's safe, we will need your confirmation to ensure you keep receiving emails from us.
Is there anything you need to do?
This is only a basic look at GDPR. We hope it helps you understand the new privacy laws. Make sure to familiarise yourself as implementation approaches. Contact us if you have any questions. You can also follow us on social media for information about our products, announcements and more blog posts. Thank you for reading!