What Is GDPR and Why Should Your Customers Care?
What Is GDPR and Why Should Your Customers Care?
The more your customers learn about GDPR, the more they'll ask how you're meeting its obligations. It's a good idea to understand what those are so that you can explain how you're meeting them.
Join the DZone community and get the full member experience.Join For Free
New whitepaper: Database DevOps – 6 Tips for Achieving Continuous Delivery. Discover 6 tips for continuous delivery with Database DevOps in this new whitepaper from Redgate. In 9 pages, it covers version control for databases and configurations, branching and testing, automation, using NuGet packages, and advice for how to start a pioneering Database DevOps project. Also includes further research on the industry-wide state of Database DevOps, how application and database development compare, plus practical steps for bringing DevOps to your database. Read it now free.
We all know GDPR is on the way — and, to date, most of the articles around it have been industry-focused, talking about the effect it will have on companies and organizations that gather, hold, and process data. I recently wrote about why DBAs should care about it and advised that you should start your GDPR journey now by finding out where your data is, what exactly that data is, and who is accessing it.
Soon, however, the wind will start blowing from another direction — toward what the GDPR calls data subjects: AKA people, individuals, your customers. These data subjects will wake up to the rights GDPR grants them and realize they should care about it, too.
And they should. Yahoo! recently admitted that a data breach four years ago leaked the account details of every one of its three billion customers, not the one billion it initially claimed. The head of the intelligence monitoring service in the UK, GCHQ, said just last week that keeping the UK safe from cyber-attacks is as important as fighting terrorism.
GDPR is introducing new rights at the same time that the threats to data are the biggest they've ever been. The more leaks and breaches there are, the more your customers will learn that GDPR grants them six specific rights, and the louder they'll ask how you're meeting those obligations.
It's probably a good idea to understand what those rights are so that you can explain how you're meeting them.
The Right to Privacy
This is the biggest and the most telling. GDPR requires that data protection safeguards are integrated into products and services from the earliest stage of development, with privacy always the default option. Privacy by design will become a legal requirement, and only data absolutely necessary will be allowed to be held and processed.
The Right to Consent
Organizations will no longer be able to process the personal information of individuals unless they have been freely given a specific, informed and unambiguous indication of consent, either by a statement or by a clear affirmative action. Long terms and conditions worded in complicated legal language will no longer be accepted. Instead, clear and plain language will be required, as well as making it as easy to withdraw consent as it is to give it.
The Right of Access
This right is all about transparency and means that individuals have the right to be informed when data is collected about them, where from, what it is, and for what purpose. It goes further. A copy of all of the data held also has to be provided, free of charge, on request, in electronic format.
The Right to Be Notified
GDPR requires organizations holding data on individuals to notify them if a data breach is likely to result in a risk to their rights and freedoms. This also has to be done within 72 hours of discovering the breach. This sounds innocuous, but think of what happened to Yahoo!, and then try and calculate the cost of notifying millions, possibly billions of customers, in such a short time-frame.
The Right to Transfer Data
GDPR brings portability to data, giving individuals the right to have their data transferred elsewhere in a 'structured, commonly used, machine-readable and interoperable format'. It doesn't go further in specifying the format, but it does raise the issue that sectors like banks and utility companies will probably need to agree on a common format to avoid confusion.
The Right to Be Forgotten
The big one. From next May, individuals will have the right to request that their personal data is erased without undue delay, and no longer disseminated or processes by third parties. This is not an unlimited right, but must be balanced against legal freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims. Expect confusion here, and probably a court case or two to establish its boundaries.
Now is a good time to think about the kind of personal data your company or organization processes, and how you'll answer questions from customers when they become aware of their new rights.
This is the second post in a series about GDPR. In my next post, I'll be talking about what Privacy Impact Assessments are, how you complete them, and why they're the first concrete step you need to take now.
Published at DZone with permission of Richard Macaskill , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.