General Data Protection Regulation: How to prepare for the GDPR with 12 important steps
With millions of hacker attacks, billions of data leaks, and unlawful use of user personal information the issues of data security and privacy are of a major concern. Many companies, institutions, and even governments take various measures to provide full data protection.
Nowadays any successful large organization has a whole set of internal security policies and standards, and you’ll always find a policy of protecting personal data among them. The GDPR implies that such procedures should be implemented by all IT companies, whose projects have at least some relation to personal data of EU individuals.
What is GDPR
The GDPR, or General Data Protection Regulation, is a regulation that requires businesses to ensure data security and privacy of EU citizens. It’s an enormous step towards providing complete data security of all EU citizens.
The new regulation will come into force on May 25, 2018, and impact not only EU member states but any country that supplies IT services to the European market. Under penalty of a huge fine, the GDPR prohibits having/including in the supply chain a company that doesn’t meet the requirements.
According to PwC survey, 54% of US companies consider the preparation for the GDPR to be the highest priority on their data security and privacy agenda, while another 38% said GDPR readiness is one of several top priorities. And only 7% reported that it isn’t the main priority.
For Belarusian IT world it means that companies that don’t comply with the regulation will definitely lose many European customers, as well as clients from other countries that have decided to be certified under the GDPR or work with personal data of EU citizens.
On the other hand, if you timely prepare for the GDPR and pass the certification, you’ll get an undeniable competitive advantage and exclude any anxiety related to fines. Also, you’ll ensure full user data security, which is one of the main requirements for developing quality mobile and web applications.
Territorial effect and data types the GDPR protects
As mentioned above, the regulation covers all IT companies regardless of their legal address outside the EU, since it has an extraterritorial nature.
So, any organization that stores or/and processes personal information about EU citizens within EU states have to meet GDPR requirements, even if it doesn’t have a business presence within the European Union.
Criteria for companies to comply include:
- A company has a presence in an EU country.
- A company has no presence in the EU but collects and processes personal data of European citizens.
- A company has more than 250 employees.
- A company has fewer than 250 employees but data processing may affect or affects the rights of EU residents.
A simple and most common example is: a Belarusian app development company with no registration in the EU launched a mobile application using a geolocation and requiring user authorization through email or account in social networks.
The app is published in the App Store or/and Google Play, available for downloading in EU countries, and uses a server leased in Russia. Though neither company nor its capacities are in the European Union, and personal data of EU citizens is used, the company must comply with the regulation’s requirements.
Also, even if the company doesn’t process user personal information, it can be processed by the end customer, for whom you’ve developed the product.
The GDPR protects the following types of personal data:
- Basic identity information (name, gender, ID numbers, etc.)
- Web data (location, IP address, RFID tags, cookie data)
- Biometric data
- Political opinions
- Sexual orientation
- Racial or ethnic data
- Health and genetic data
The key rules of the GDPR and how to prepare:
- Companies must store user personal data and information about his/her actions separately. For example, a person name is stored separately from the history of his or her actions. In this case, the data leak won’t allow to find out to whom these actions belong.
- Companies will have to document user personal data they hold, sources it came from, and keep records of their data processing activities. Create and maintain a user personal data register and keep a record of personal indicating user location, the responsible file owner, information sensitivity level, data storage period, data availability, etc.
- In case of personal data leakage companies must notify authorities and alert users no later than 72 hours after the leak was detected. What’s more, in case of a successful hacker attack a company will have to pay a serious fine. So, focus on ensuring the highest level of data security and privacy when developing the application.
- Organizations will have to provide users with the right to be “forgotten”. It means that by a simple will of a user, all personal information about him/her must be deleted everywhere.
- Companies will have to follow the rule of “privacy by default”. It means that a user starts using the app with the maximum privacy settings. If a user changes nothing, a security level remains the same. Note that the app can’t require users to perform some actions to obtain maximum protection of personal data.
- Companies should also follow a “privacy by design” rule. Integrate the privacy in the software from the very beginning of custom mobile or web app development.
- Since May 2018, some companies will have to integrate a position of a Data Protection Officer (DPO). You must designate a DPO if you are a public authority (except for courts acting in their judicial capacity), an organization carrying out large-scale individuals’ monitoring, or an institution carrying out processing of special data categories on the large scale.
- Companies will have to appoint their representative in the European Union. In some situations, it will be possible to select an EU member state which supervising authority will monitor personal data processing and issue fines in case of violations.
- To prepare for the GDPR, determine in advance who in your organization will be maintaining documentation and allocate it to the necessary resources and authority. Subsequently, the information is useful to assess the impact of data protection.
- You should define and document the lawful basis for your data processing activities to make it possible to review the types of activities you carry out and to determine your lawful basis for that. Also, you must get an informed user consent to the processing of personal data.
- The regulation obliged organizations not only to comply with the new requirements but also be able to prove this compliance with the help of documentation. Even if the company complied with all norms, but doesn’t have them documented, they will be considered unrealized.
- A simple but important rule is that you should inform decision makers and other key people in your company about the GDPR and preparation activities.
The GDPR is a significant step to ensuring the highest level of user data protection. The preparation to the regulation should be one of the major issues for companies wishing to maintain a good reputation, receive a competitive advantage, and avoid huge fines.
Here at Smartym, we take all-above measures to prepare for the General Data Protection Regulation as we have many customers and end users in European countries. If you have a project idea, you’re welcome to apply to us and get a consultation for free!