All of this sounds great for users, but it can seem daunting if you are an organisation that collects personal data. An organisation's data managers are the ones who have to make sure they comply with the regulations. There are 12 main points, here’s an overview of what they are:
1 – Spread Awareness
You have to make sure that each and every member of your organisation who handles customer data in any way should be aware of GDPR. They should know that data regulation is changing.
2 – Accountability
Previously, you didn’t need any reason to retain personal data and you could store it indefinitely. This approach resulted in a lax system of data management and led to many data leaks and hacks. You need to inventory the data that you have and explain why you are keeping it, why you collected it, and what purpose it serves.
3 – Communicate changes
You will have to communicate with your customers/users to ensure that they are aware of any data being collected. You also have to notify customers/users about how the data will be gathered, how it will be processed, and if it will be stored in any place outside of the EU. This regulation is to ensure that you only keep the data that you need and discard the rest.
4 – Privacy of Customers
GDPR gives customers many new rights regarding their data. They have the right to object to direct marketing, they can also somewhat restrict how their data is processed by you etc. Look closely at the new data privacy rights outlined in the GDPR to see how you will need to account for it better.
5 – Access for Customers
Customers/users can ask for access to their data now, but many organisations can be as slow to respond to the request and they can often suggest charging for it too. This will be changing – you will not be allowed to charge a fee to your customers/users for data access requests, unless you can prove that the cost of extracting the data is too much for your organisation to bear. You will also have to respond to access requests quickly.
6 – Legal Basis
You will need to identify the legal basis you have for all the data processing that you do. Yes, this means that you should get a lawyer to go through GDPR and your company’s data records to determine the legal basis of the type of processing that you do.
7 – Consent for Data Processing
You will need the consent of customers in order to process their data. The consent should be taken in an unambiguous manner.
8 – Children’s Data
The GDPR has many data protection policies aimed at the data generated by children. You may need to include, for example an age verification system if appropriate and a method to get consent from legal guardians to collect data from minors.
9 – Data Breaches
Any data breaches that occur have to be reported as soon as they are identified. Users directly affected by the a breach must be informed immediately.
10 – Data Protection Assessment
You must do an impact assessment of your data protection measures.
11 – Data Protection Officers
You may also need to hire data protection officers depending on the size of your organisation and the scope of your data collection.
12 – International Data
A new Data Protection Authority will be created that will make sure that international companies comply with GDPR when handling data of EU residents.
Basically, you will no longer be able to simply collect data and keep it indefinitely with no oversight. Organisations will have to adopt much more stringent data storage policies and security measures. GDPR compliance will require some investment of time and money but unlike many previous EU laws relating to privacy, these compliance measures will be strictly enforced with hefty fines for offenders.