What Is GDPR : General Data Protection Regulation
As per wiki:
Is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
In more simplistic way all the user information which you collect from your app or web needs to have
- User consent before you store them into your database
- Needs to be strongly encrypted to prevent data breaches
and much more …
To Whom GDPR Applies ?
If you are an app publisher or website owner or an entity with customers, or website/mobile app visitors who are from the European Union (EU), You have the obligations to protect their users’ data to be GDPR compliant.
GDPR Glossary: You Must Know
A Data Controller is the entity that determines the purposes, conditions and means of collecting and processing personal data.
So if you are a mobile app developer, or website developer or a business involved in creating app & web involved in user data collection for processing it you are a Data Controller.
A Data Processor is an organization that processes personal data on behalf of a data controller.
Any third party service provider which integrated their services in your app or web like flurry analytics, google analytics, AWS which stores user data are deemed to be a Data controller
A natural person who data is processed by data controller and data processor is known to be main Data Subject.
For Example :
A person whose data is being handled by their banks(Here called as Data controller) and external marketing firm who works on behalf of bank(Data processor)
Any operations performed on user’s personal data whether or not by any automated means which includes data collection, recording, use etc..
For further detailing all GDPR glosaary : pls refer this link:
For the purposes of this Regulation: ‘personal data’ means any information relating to an identified or identifiable…gdpr-info.eu
What You Should Do To Be GDPR Compliant?
As a controller of user data it is imperative for any organization to implement data protection measures. Few key compliance policy which one needs to implement are :
1. Data privacy by design and by default:
Privacy by design principle calls for the inclusion of data protection right from the onset of the product design instead of leaving it to the later stage to be an addition.
According to GDPR Article 23, your app must only hold and process user data that is absolutely necessary.This means that when you’re developing your mobile app, or having a third party develop it, you need to consider data protection and user privacy.
2. Consent: Ask Explicitly Before Accessing User Data:
As a data controller you should explicitly ask your user through informed mechanism/interface before accessing and processing their data. They should be well informed about what data you are going to process.
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
3. Data Security: Make Sure User Data Is Full Encrypted And Protected
Being a data controller/processor you need to take stringent technology measures to protect user’s sensitive data from disingenuous exposure. Data encryption measures has to be in place to prevent unauthorized data access to any third party. Under GDPR regulation, subjects should have more control over their personal data and companies will have to be transparent on how they use sensitive information. Data controller/Processor companies needs to have system in place to keep Subject informed for any suspected security breaches .
Companies are required to execute Data Protection Impact Assessments to address any potential risks to consumer data and promptly address any immediate concerns.
4. Right of Access, Right to Be Forgotten:
As per GDPR regulation, EU user have full ownership of their data , so they can anytime ask an access to their personal data from data controller, where they have honor and let them know how their information is being processed and what measures they are taking to protect the same. Any Individuals must authorize how their data is processed and can withdraw their consent if they so choose to do so. Users data needs to be deleted if the they want the same to happen from data controller. This Right to be forgotten is also called Data erasure .
Likewise GDPR legislation includes 11 chapters and 99 articles, please visit the same to further understand the policy which as an organization one needs to implement to be GDPR compliant
GDPR Non-Complaint Repercussion:
GDPR enforcement is much stricter than the former Data Protection Act, including costly fines up to €20 million or 4 percent of global annual turnover for non-compliance.
Any appointed Supervising Authorities(SA’s) can audit the GDPR compliances of the organization , to which Data controller should respond and cooperate, any negligence can lead to steeper penalties.
So as an organization it’s a high time that you start taking user data seriously and let them be the real owner of their information.
I Feel :
In the coming future any organization’s success and failure will be decided by their readiness to secure user information.
For large scale organization who deals with huge user data base everyday , appointing Data Protection Officer(DPO) must be the highest priority. Every regulation norms need to be thoroughly scrutinized, user data needs to be secured with solid encryption and all the provision needs to be in place to ask user consent, to give them data access on request and remove the data as and when requested.
As an organization you need to act only as user data protector not as an owner.