After almost seven years in the making, a new law on data collection, procession and protection has come into effect on May 25th. GDPR aims to give European citizens more control over personal data and make companies have a transparent policy regarding data storage. However, to become GDPR-compliant businesses have to overcome many difficulties; otherwise, they may face hefty fines.
What is GDPR?
General Data Protection Regulations (GDPR) was issued to replace the outdated Data Protection Directive that came into force in 1995. After almost 20 years the old law became outdated and not suited to the modern digital age. It is the most essential legislation regarding technology, the internet, and users. The business world is adjusting to the new rules that have global reach.
GDPR is designed to protect the personally identifiable information (PII) of the European Union residents. It brings together several existing laws and regulations to standardize rulings across all EU countries. The main concerns of regulations are the privacy rights of users and trail of data they leave behind while using online service and making purchases. It affects all businesses and impacts how they gather, store and protect information of their customers.
Explicit notice of data collection is one of the primary requirements of the law. Companies have to notify users on the collection and usage of their data. Users have to give explicit consent for companies to use their data. GDPR aims to give users more control over their personal data. They have the right to know what details a company or organizations holds about them and can use the right to erasure – to request any of that data to be deleted it they think their privacy is infringed. Regulations also introduce the notion of pseudonymization, a process that requires all data to be encrypted so that it can’t be used to identify a person.
Personal data applies to a wide range of information – it can be anything that could potentially allow to directly or indirectly identifying a person online. Today, almost every aspect of our lives revolves around data. Almost every service we use, be it online or not, involves the collection and analysis of our personal data. Social media, online stores, banks, insurance companies – they all collect, analyze and store a lot of information about us, including but not limited to name, address, bank details email address, medical information, computer IP, etc.
Per under GDPR, companies suffering from data breaches need to disclose this event to the relevant authorities within 72 hours of it happening. However, the regulation doesn’t require companies to notify users about such occurrences.
Who needs to comply with GDPR?
The new rules have global reach. It means, if a business provides goods or services to a European Union citizen, it needs to be GDPR compliant, even if a company is registered outside Europe. If it fails to do so, the company can be subject to fines. Even if you restrict the access to your application, website or online store for people with European IP addresses, you can’t be sure that a European citizen won’t use it from another country or behind VPN, Proxy, etc. You are responsible for all data that you collect or store.
Under GDPR rules, there are two types of roles you and your company may have –a data controller and/or a data processor.
A data controller defines how and why the data is processed, but this organization, person or agency doesn’t necessarily execute these activities. It can rely on a third party for data collection in accordance with the defined rules.
A data processor performs the actual data collection and procession. It has to maintain records of all activities and in case of any disputes present it to prove the abidance to GDPR. In case of data breaches and other violations, data processor notifies the data controller, which will be held responsible and be liable for financial penalties.
The rights of European citizens
In the past few years, our world had to face many data breaches and hacks that left sensitive data exposed to the internet and made people feel vulnerable. Companies don’t tend to talk about such occurrences with their customers, who often find out about such situations from the press.
GDPR brings huge changes. Not only users have the right to know about data breaches, but they also can define what data they are comfortable with for companies to collect and store. If they are afraid that specific data abuse can put them in danger, especially when we talk about personal data, banking information, and insurance numbers, they may opt out of their details being processed by third parties and not to give their consent.
Also, if for some reason a customer wants to stop a company from storing a specific type of data, for example, email addresses for the mailing list, then it is possible to use “the right to be forgotten” and have it deleted. The business can’t deny this right as it would violate the regulations.
People have the right to access any information a company holds on them and know why the data is being processed, how long it's stored for, and who have access to it.
The penalty for noncompliance
If you still think that your company can hope for the best and ignore GDPR then you need to rethink your decision. The risks are huge as the fines for noncompliance are high. It is essential to keep in mind two main penalties.
First of all, if an organization fails to report a data breach within 72 hours after becoming aware of it, it is subject to a penalty of €10 million or up to 2% of annual turnover, whichever is bigger. You don’t just need to notify the committee, but also to present a full report with the type of data affected, how many people and how could suffer from it, what measures have already been taken and the full plan of further actions.
However, except for this penalty, you are also responsible for the data breach itself. Under GDPR the violator could be charged with €20 million or 4% of annual turnover, whichever is higher. Such penalty would have a big impact on any organization, even on multimillion corporations.
How blockchain can help to become a GDPR compliant
With GDPR strict policy companies all over the world are struggling to meet the requirements. They hire data officers, resort to consultants and agencies to make the process of integrating new rules into business operations easier and safer.
Blockchain would allow companies not to store the information on their users. For example, if a customer wants to buy a product or a service, he/she would create a private address, buy cryptocurrency and make a transaction. In such case the company is neither a processor nor a controller, as it doesn’t have access to the data, doesn’t use or store it. The payment is made within a decentralized ledger that is hard to use for identification of personality. This is only one of many examples on how blockchain can make GDPR compliance easier and faster.
The company can also use blockchain to store user data. Due to decentralization and no central authority, it is protected from hacker attacks. The organization receives a unique opportunity to prevent data leaks, thereby minimizing the probability of regulations violation.
Emercoin is exploring the potential of incorporating blockchain into business operations for companies to become GDPR compliant. Together with UpLogics Consulting we are working on a project dedicated to GDPR. UpLogics Consulting is the company that have more than three years of experience in the deployment of blockchain technologies and providing of services for companies that would like to benefit from them. Together with Emercoin is develops a solution to provide a reliable and secured connection between business and users that have a full control over their personal data. We will share more news about the project soon.