There are quite a number of things to freaked out about…
A debit alert from your Mastercard when you didn’t even use it…
Missing your flight and having to pay extra on your ticket…
Or that influx of emails from companies in your inbox asking you to read their updated GDPR privacy policies.
Did you even get the emails from services you can’t remember subscribing to?
We’re sure you’re thinking, if you get one more GDPR mail, you would pull your hair out.
We know, we feel the same way too but we alas, we cannot ignore the almighty GDPR
What is the GDPR?
For short, it stands for General Data Protection Regulation.
It is a set of laws created by the European Union to protect the personal data of European Union citizens. This was necessary in order to help people have control over the use of their personal data.
So as Nigerian, the next question is: well, how does this concern me or affect my business?
The GDPR protection affects more than just businesses operating in the EU. It crosses borders, since its sole reason is to protect its citizens; any company processing data that is offering goods or services to EU citizens are bound by the regulation!
So your little ankara business by the side that involves you shipping purchases to the EU countries like Netherlands, France or even Germany? As long as you require their data, you’ve got to comply.
Defaulting organizations can be fined up to £20 million or 4% of annual global turnover. Imagine a huge corporation paying out 4% of their annual turnover. That could rack up to be some really handsome fees.
What form of data falls under the GDPR?
Any information that can be classified as personal details and be used to identify any citizen of the EU is what is protected by the regulation. Examples are:
- Social media posts
- IP addresses
- Bank details
- Email addresses
- Medical information
- Biometric identifiers such as fingerprint, iris screening and so on
This is not the full extent of the policy as it also extends to anyone considered to be a minor. That is anyone 16 years and below cannot legally grant consent for their personal data to be used except permissions are granted by parents or guardians.
- What the GDPR requires
- Safely handling the transfer of data across borders
- That you provide any form of data breach notifications
- That you accurately have the consents of subjects for data processing
- That you make the collected data anonymous in order to protect privacy
- You are also expected to appoint a data protection officer to oversee GDPR compliance.
- We believe you now understand the meaning of this regulation and that you get the reason for it. So let’s get to the crux of the matter.
1. Short. Readable and concise.
2. Your use of data would be explained.
There is a need to be transparent with what you intend to use the collected data for.
You need to make it plain, make people understand whether you sell their data off to third parties or you use it for marketing purposes.
Surfing through an online selling platform and find the same products you checked out on a completely different platform is not by accident!
4. In case you do share data with third parties.
Make it plain to people you render services to.
You need to state with whom you share these data, and for what purpose.
Even though it is within the law for you to share these data with certain people, you won’t be justified by the law if you do not inform people you are doing so.
5. You will have to include the contact of the Data Protection Officer of the company as well as details that explain how the information is being shared, and that your customers have the right to complain to the Data Protection Authority.
6. If you have promised each individual that they have the right to request or access their personal data, then there has to be a confirmation of this promise.
We’ve talked a lot about a Data Protection Officer, and it’s good for you to know that you might not need one if you do not fall into any of these categories;
i. Public authorities
ii. Organizations that engage in large-scale systematic monitoring
iii. Organizations that engage in the large-scale processing of sensitive personal data (Art. 37)
You can check Art. 39 of the GDPR to locate the tasks of the data protection officer. The need for this officer is to make things easier for your company by having someone knowledgeable about the topic of privacy doing the question answering and checking out any policy breach that could be harmful to your company.
To get a DPO, you can make use of the same standards as you do for any other hiring; their professional qualifications and knowledge in the field of data would be all that is necessary. Such person must know a great deal about your company so that monitoring your data processing would be effectively done.
A good example of a company actively using the GDPR is Facebook. This could be seen in their new tool that enables users opt-in to facial recognition being used to scan their photos, but also handing the users the ability to switch it off when they want to.
Of course, there is a positive side to doing this for your company. It allows you win the trust of your platform users. And it’s also a good way to engage with them. You are saving yourself from a huge financial fine and you are winning the trust of your users. It’s really a win-win situation.
So… ready to get compliant?