All the organizations that provide services or sell goods in the EU have to accept the new data protection rules. Otherwise, they can be fined 4% of the global turnover, which reaches approximately $24,5 million.
Coming to GDPR into force will influence businesses around the globe, including 52% of American companies. Many companies have already appealed that they are ready for the up-to-date rules.
Still, according to the Gartner predictions, only half of firms will succeed in adopting these requirements. You can find the list of recommendations from the software development company Belitsoft that will help you to be among such businesses.
What does GDPR stand for? Which organizations have to follow GDPR?
GDPR means General Data Protection Regulation. It is a legal document with a detailed list of rules on how to collect and process personal data.
The previous list, presented in 1995, was a list of recommendations. In contrast to this document, GDPR provides strict obligations to all the organizations that collect or handle personal information.
Also, all your contractors have to align with the GDPR standard for your product (including companies that provide you with software development resources) to ensure your solution is GDPR-compliant.
Gartner forecasts that authorities would check the adherence to the new standard right after GDPR is approved and comes into effect. That is why preparing in advance will help companies avoid fines and other negative consequences for their business, for example, losing clients and partners.
This regulation, including accompanying documents, has 260 pages and needs long and thorough discovery. Nevertheless, we prepared a short list of steps you can do now to meet its requirements.
Be sure you get consent from users
According to the GDPR, you are obliged to ask users whether they agree or not that your company gathers and processes their data.
Your application has to warn customers about exactly which information is collected, why your organization is going to use it, and how. If the customer does nothing, it won’t mean their consent. The customer has to do a particular action, for example, to tick the checkbox. All you need is to set up a timely notification that thoroughly describes the request and allows users to agree or decline it.
Please note: if you already have a customer database (DB), you probably should ask them for permission again because the level of consent can be lower than the new regulation demands. Remember that a user needs to take a well-determined action to show their consent, like clicking the “I agree” button.
You are not required to get users’ consent if you need the particular information to provide your services. For instance, an online shop asks for a name and email address to deliver a product. Nevertheless, if you want to use customers’ data for advertising or other extra purposes, you are forbidden to do that without consent.
Encrypt personal information
Ashley Madison stored customers’ addresses and their credit card details without encryption. When the hackers attacked the company, it was sued for data leaks many times, and it went about millions of dollars. In addition, if the authorities had approved GDPR by that time, the company would have been seriously fined.
Data encryption ensures extra blockers hackers need to overcome before accessing the information.
The 32nd article of GDPR requires “state-of-the-art” protection measures. Nevertheless, companies are not instructed exactly, they have to define these measures by themselves.
There are three prior strategies you can follow to design the GDPR-compliant database:
- building a custom server with centralized DB;
- relying on a third-party GDPR-compliant server with centralized DB;
- utilizingblockchain technology and projecting a custom server with a decentralized DB.
Minimize the amount of data you store
Store only the particular information you can’t work without. It would be helpful to implement an automated deletion of all the data you don’t need anymore.
This decision will protect your users’ privacy and spare you from troubles while cyberattacks and data breaches: communication with authorities and hacked accounts’ owners.
Document your protection measures
The GDPR requires not only to implement security measures but also to document every step to prove your compliance in case of the official audit.
So you must keep all the documentation in order: personal information registry, security policies, and other documents thoroughly described on theInformation Commissioner’s Office website.
A Data Protection Officer is usually in charge of recording and organizing all these assets in your organization. If you don’t have such a professional, you might also not meet the GDPR requirements and face reputation and financial risks.
Prepare a plan for force-majors
In any case, have a strategy for data breaches and data leaks. In most situations, you have to report a problem to the Information Commissioner’s Office within 72 hours. If you decide not to inform them, you must have a strong reason properly described and supported by documents. If this personal data leak provides a “high risk to the rights and freedoms of individuals”, you also must notify your users.
The message for customers has to include the following points:
- Name and contact information of your DPO or another specialist that is responsible for users’ security.
- Details about possible consequences of the data leak;
- Your measures to cope with this data breach.
If you didn’t report the Information Commissioner’s Office when necessary, you could get a fine of EUR 10M, let alone extra fines. Preparing a proper reporting procedure in advance can significantly mitigate these risks.
To sum up
Experts predict that only half of the organizations turn out to be GDPR-compliant. Independently of your location, you are subject to the GDPR if you provide services or sell goods to EU citizens. Customers can request deleting personal data or correcting the previous permission. Breaking the law leads to high fines and reputation damages.
