Yes you read right, starting May next year
Any organization that provides services to Europeans irrespective of where they are in the world specifically if it requires you to collect personal information will be subject to GDPR Requirements.
Your customers will now have the right to require that an organization that collects personal data. ask to see all the data that company holds about him/her, and even be able to make corrections to it. they will also have the legal right to ask that you remove it from all their systems and prove that you have done it.
As an organization you will also have a legal obligation to show that you have the processes that handling requests for correction and erasure of data from a compliance perspective and actually go through with it. This is something that for now is almost impossible for some organizations.
In May 2018, a European privacy law, the General Data Protection Regulation (GDPR), is due to take effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.
Typically what happens these days is that we collect data and use it in whatever way we want. What GDPR brings about is you can only use data for the purpose that was stated at its collection. Customers will now have the right to understand and ask how, where and how long you keep their data.
As an organization you will be required to publish your policies around data retention and deletion. So information such as how long do you keep data, what backups do you use. where is that data actually located.
Organizations larger that 250 employees will now be required to have their own data protection officer, now this becomes exciting for people who are or are looking to be Data Protection Officers this means more job opportunities for you.
Organizations will now be implementing privacy impact assessments. This means what implications are there when data gets leaked, what type of data is leaked whats the impact to that individual if the data is leaked, How are you protecting that data and putting in place the right policies and processes to address those issues. These are some of the questions you will proactively get from customers when data breaches occur.
Some of the other things the GDPR requires organizations to do is to Mandatory Breech reporting and 72 hour reporting when you discover a breach. which usually is very hard to do.
Key changes under GDP
Personal privacy
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
Controls and notifications
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
Transparent policies
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
IT and training
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contract.
What GDPR means for your data
Protecting customer privacy with GDPR
What Does this Mean 4 Africa
Supplier/Vendor.
One of the Requirements or the GDPR is that organization in the EU need to help organizations that they work with to also be compliant so if your company acts as a supplier/vendor to an organization based in any of the EU Countries they you also need to start looking at the ways to be compliant.
Investors.
For those startups looking for investors based in the EU one of the requirements is that they will require that you also be compliant to GDPR.
Global standards.
As this policy is put in place you will notice as organizations strive to be compliant you will find that these policies will start being adopted as a standards in many other regions. Canada has already adopted some of these policies, as much as you would want to run away from it, it will catchup with you either way.
Data Processing
As we go through this digital transformation journey and move a lot of our services online, We would need to also need to start thinking and looking into which service vendors we use and if they are compliant.
Because of the increasing digitization of our lives, vastly more personal data is being generated and collected than ever before. This data can be used to make cloud services more useful, to build better products, and to enable governments, businesses, and researchers to gain new insights into human behavior. Data is also enabling everyday objects that are connected through the cloud to interact with each other and perform actions that improve lives, drive business efficiency, and power new public services.
Data analytics, machine learning, and artificial intelligence made possible by cloud computing are helping organizations in manufacturing, education, healthcare, and many other sectors understand complex systems, improve efficiency, reduce costs, solve difficult problems, and deliver new capabilities.
The Challenge is that as we continue to generate a lot of this data, we find that a lot of this data is held by private companies and by governments. this of course raises a lot of concerns on how this data is being processed and what it is used for. this is one of the reasons you will find a lot of people are reluctant in adopting technology solutions as they are not sure if their data is private and secure. These are some of the issues that you will see being addressed in the GDPR.
Companies such as Microsoft have been practicing some of these policies and have already made a commitment that by May next year all cloud solutions will be compliant.
I will be sharing more around the GDPR, please share and subscribe for more
Somet Kip
Somet Kip 