GDPR brings opportunities to tech businesses
The General Data Protection Regulation (GDPR) is taking effect in May 2018, and if your organization collects or processes EU citizen data, you need to take actions. Emails, social posts, and digital product accounts are all covered by the regulation.
The value of personal data is ever increasing, and the aim of GDPR is to pass some value and control back to the individuals. Getting compliant with the Regulation will help your organization build a data-focused business that is ready to beat the competition in the economy of the future.
In the next five months, you will need to prepare an action plan to meet the minimum requirements.
What you need to do:
1. Designate a Data Protection Officer (DPO)
The project coordinator will oversee the data protection strategy and implementation. At Skein, Denis Novik is our DPO and you can contact him with any questions at data@skeingroup.com.
2. Analyze and plan
The DPO team will need to identify and analyze what personal data is currently being captured, stored and processed; both within the organization or through third-party subcontractors.
3. Update your Privacy Policy
A Privacy Policy has to be publicly displayed on your website. It must cover the information about user rights, including the right to access their personal data that you store, and how they can delete it or change the user permissions.
4. Integrate data protection into your digital assets and systems
Privacy by Design and Default requirements dictate that data protection measures have to be designed into the very architecture of digital products and services. Such measures include encryption of personal data, the collection of an absolute minimum of data required for the service provision and limited access to personal data only to those who need to process it.
5. Anonymise data locally
Encryption and decryption operations must be carried out on your local servers, not with remote third-party providers. So for any personal data processing systems, a specialist has to review and, if needed, redesign the storage and processing infrastructure.
6. Organize your data processes and workflows
Companies must inform their customers within 72 hours of any breach, that may endanger “individual rights and liberties”. The authorities should also be notified within the same timeframe, except in cases when the personal data is encrypted. This means you’ll need to ensure complaint collection and response processes built into your operations.
7. Make AI transparent
If your system involves any kind of Artificial Intelligence or black box decision making you need to act on the “right to an explanation” requirement. For any automated decision-making process, there should be an easily available explanation with the exact steps that led to any conclusions or insights. Be ready to engineer a transparent system that combines a sophisticated algorithm that would be very easy to explain and dissect.
Overall, GDPR requirements, despite forcing the businesses to change their ways of doing business and dealing with data, ultimately can help your business to transition into the data-led economy and benefit from a better-protected data market.