General Data Protection Regulation (GDPR) is the regulation established to protect the privacy, and personal data of European Union citizens for transactions occur within the member states of EU in 2012. A commission in this regard was laid by the European Union. To stretch an agreement on the issues to be included and to enforce, it took nearly four years for the relevant parties.
Jump to your favourite topic
GDPR and Data Security
On May 6 this year, EU finally leaps to be a perfect fit for the digital world, and there exist changes in the business in the way which data is handled and protected with the GDPR.
GDPR and Citizens
Today, almost every revolves around data in this crazy world. Every time we use a service, better to ensure that the data you are using is being analyzed and recorded.
Our ID numbers, names, credit card info, addresses, etc. are continually being examined, collected, tracked and in several cases even saved by the respective organizations.
Along with the data that is being everywhere and the contents being valuable, breaching has become inevitable.
While considering the protection of the customer’s data in any business, they have notoriously fallen short as hackers going to hack, means that the hackers have been doing quite well in the raging Cyberwar.
GDPR enters here, let’s have a quick rewind on what it is.
In short, GDPR is the new set of rules for the citizens of European Union to have more control over their data and simplifying it according to related business regulations of businesses data.
After four years of gigantic preparation and debates, the GDPR is approved by the European Parliament in April.
Its effect will be from May 25th, 2018. Most of the members of European Nations incorporated it into their laws by 6th of May this year.
GDPR and Companies
The organizations under the GDPR will need to ensure that all personal data gathered is done in a legal manner and under strict conditions.
They are duty-bound to protect data from exploitation and should respect the data-owners rights. They also face some pretty severe penalties for failing to data protection.
Several organizations started making some steps towards transparency between them and their customers.
The GDPR is finally bringing up the much-buzzed-about ‘right to be forgotten’ process, which allows citizens who no longer want to store their data.
GDPR and Developers
The logical question is that how should web developers and designers work with the clients from May 25, 2018. The effect of GDPR is more on the way that we work online including both planning of the business and running the major business processes. To be more particular, it touches upon project management terms, UX, marketing, and the web development itself.
The first and fundamental thing to take care when you start working for GDPR is the Privacy Impact Assessment that means a written document created and made everyone in the project to access it. Don’t forget to include the aspects such as audit, discuss, and specify the risks of privacy inherited in the data that you possess.
Coming to working for GDPR, a written document should create where both the client and the designer may find the terms, requirements, and regulations on behaving in the privacy concerning the event.
The Privacy Impact Assessment should make it clear
- What is the data that is processed and retained?
- Where and how is the data stored?
- How does the data subject exercise?
- What are the Access rights?
- What is the Right to data portability?
- What are the Rights to erasure and the right to be forgotten?
- What is the right to restrict an object?
- What are the primary risk sources?
Working for GDPR not only involves design and code but also suggests that everyone involved in that project is aware of the legal background of their profession and knows the local as well as privacy laws.
Companies in that perfect scenario should educate their teams. It is necessary to maintain a documentary proof that the particular web developer or designers.
GDPR and Data Breaches
As discussed, once the GDPR comes into effect, it will introduce a new set of rules that all organizations must follow in case of a data breach.
For startup organizations, is obligated to report any unauthorized occurrence revolving around customer’s data.
In case a name, health record, address, bank detail or any other bit of private data is accessed by an unauthorized party.
The particular organization in this situation is obliged to intimate about the affected and must report it to the regulatory body according to its relevance. Therefore, the vastness of the damage is restricted up to a significant extent.
Whenever the data breach occurs, it must be reported to the relevant regulatory body with immediate effect within 72 hours of the organization is aware of the issue.
It is the responsibility of the organization to let those affected knows that malicious activity via a notification of data breach (Art.33) as soon as the breach occurs.
It means a notice or a press release on the website of the company fails to cover the obligation of an organization to let its customers know of the activity. The notification must be one-on-one.
Fines and Penalties
If any organization fails to comply with GDPR, it will turn into financial repercussions, and the severity depends upon the data breach.
The penalties for data breaching will be from 10 million Euros to 4% of the annual global turnover of the organization (the greater one is affected).
According to the GDPR, the maximum fine will be 20 million Euros or if a more significant number- 4% of the annual global turnover of the company.
This majority applies for violations of data owners, unauthorized transfer of personal data, not giving them access to customers when they request data, and for not following the necessary GDPR procedures application in that place.
Conclusion
The organization must work to discover any weak points in case of existing operations and find how the flow of data is processed and handled by the organizations by performing gap analysis.
The data privacy, according to GDPR is the security that must be considered during the planning phase of the product as opposed to during development.
