If you’ve been receiving warning or anticipatory mails about the GDPR coming into force, well, congrats because you lived to see that day and it’s today.
If you’re like, ‘Okay, calm. What is GDHR or GDPH or what now?’, well congratulations as well, you’re in the right place to lessen your cluelessness.
So, on the 14th day of April 2016, a day which was an anniversary of the day the Soviet Union agreed to withdraw from Afghanistan (1988); when the heaviest hailstones ever recorded visited Bangladesh with a bang (1986); when President Abraham Lincoln was shot (1865); when the Titanic hit an iceberg in the North Atlantic (1912)… on this very day in 2016, the GDPR was approved by the European Parliament.
The GDPR is short for General Data Protection Regulation, but its long title sounds like this: Regulation on the protection of natural persons with regard to the processing of personal data on the free movement of such data and repealing Directive 95/46/EC (Data Protection Directive).
Let’s start with the phrase ‘…repealing Directive 95/46/EC Data Protection Directive’. I’d like you to imagine a Kingdom in which a technology-backward monarch is reigning. He should continue his reign but his lack of knowledge about this new technology way of life is slowing the progress of his Kingdom. The king makers have two options. They can decide to enlighten him on what technology is and how it affects his kingdom, but then that’s just so much stress. Or they may just decide to unseat him and put in a more tech-savvy individual to take their Kingdom to glory. And that’s what that phrase has done. It has repealed a formerly existing EU Directive (which had been implemented since 1998) and now says that once the GDPR is enforced; it will be the new monarch in charge. You can check out the old monarch here
Now what does this new king; the GDPR, have to offer us.
First, we know that although monarchs are super powerful and ought to be respected, their power, no matter how great it is, only exists over the people which they rule. So an important question would be to find out who the GDPR applies to. I mean, it was adopted and approved by The Council and European Parliament, so why is it now a ‘world thing’.
The answer is simple: The GDPR is focused on protecting the data of EU residents – that’s its focus. But now, technology has made it so that EU residents can have their data in the hands of non-EU residents. So whether or not you stay in any of the member states of the EU, as long as you process the data of one or more EU residents, you should pay close attention to what the GDPR says.
Now, I cannot possibly write on everything in the GDPR. It’s actually an entire package of data protection regulations, so you can imagine its length and the variety of subjects it covers. I’ll however discuss some salient/interesting points I came across.
- Did you know that in the EU, the right to protection of a person’s data is a fundamental right? Like a basic human right? Like the right to life and freedom of expression? And I think this makes sense because if you can guarantee privacy as a fundamental right, it follows that personal data protection should also be explicitly captured.
- Also, the GDPR both protects personal data AND ensures the free flow of data within the EU. THAT, brother and sister, is the idea of TechReg. Controlling and yet advancing. In its recital/justification, the GDPR states that:
The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data”
- Also, the GDPR only applies to the data of natural persons (human beings); not legal persons (like companies). Although if you’re a company collecting the data of a human being, you’re captured to submit.
- The GDPR does not apply when individuals are carrying out their normal personal or household activities but applies to controllers who provide the means for processing personal data for such personal or household activities. (jbwqwgvidyu. Lol). Let me try to explain this. For instance, an EU resident goes to a store to buy some supplies for their house. The storekeeper knows everything they’ve purchased and that’s data. But the provisions in the GDPR do not apply here. The provisions will, however, apply in the situation where some technology or other mechanism is provided to store or process this harmless household and personal data. For instance, if the EU resident uses an app to create and store their grocery list; then yes, the app admin has to comply with the GDPR.
- Remember I said that the GDPR is more concerned about the data of EU residents and would hunt you down even if you aren’t in the EU but handle the stipulated data? Well yes. You may be in some office in Ajegunle or in a corner in Ikoyi, as long as you or your business outfit is offering some goods or services to persons established in the EU (whether for a fee or for free), you must comply with the GDPR. The question then is how will they catch you? How will they know whether you’re servicing or offering goods to EU residents. Well, there are some indicators the GDPR proposes; like if your site or platform or entity uses/offers the option of certain language(s) or currencies used in one or more of the Member states of the EU, couple that with the possibility of ordering goods or services in that language or currency, or you mentioning customers/users in the EU, then there’s the presumption that the GDPR captures you.
So How Do I Comply with the GDPR?
Perhaps the first way to comply with the GDPR is to actually know what it says. It’s a really long read, so you might want to space yourself out and take relevant notes. You may download it here in different languages.
When you know what it says and you are armoured with its provisions, you must align yourself/your business entity/ your website to its provisions. Please note that you’re expected to be compliant by today, the 25th May 2018.
Practically, you may want to
- Check your mailing list and if there are persons who haven’t given affirmative consent, you may want to reach out to them to remind them and give them a deadline.
- The GDPR requires that to collect the personal data of persons under the age of 16, you need parental consent. So you may also want to enable an age verification system just to be doubly sure. It doesn’t have to be them stating their ages, it can be ‘I affirm that I am 16 years and above’
And so on.
The GDPR is a lot! And it’s not optional especially if you fall within its scope of reach. So get two boxes of Pizza and some Zobo, get your team together, study the GDPR if you haven’t and align yourself (there’s a joke here about being aligned by the monarch ‘ruler’; the GDPR, but I can’t place my hands on it).
Thanks for reading!
My friend and commenter below; Kevwe, gave this awesome suggestion for self-assessment.
If you’re a data controller (you have data in your control and care), take your self-assessment test here
If you’re a data processor (perhaps you receive data from other sources to use), take your self-assessment test here
Check here for other tests
I’d love to hear your comments, below!