With millions of hacker attacks, billions of data leaks, and unlawful use of user personal information the issues of data security are of a major concern.
Many companies, institutions, and even governments take various measures to provide full data protection.
Nowadays any successful large organization has a whole set of internal security policies and standards, and you’ll always find a policy of protecting personal data among them.
The GDPR means that such procedures should be implemented by all IT companies, whose projects have at least some relation to personal data of EU individuals.
What is the GDPR
The GDPR, or General Data Protection Regulation, is a regulation that requires businesses to ensure data security and privacy of EU citizens. It’s a hige step towards providing complete data security of all EU citizens.
The new regulation will come into force on May 25, 2018, and impact not only EU member states but any country that supplies IT services to the European market. Under penalty of a huge fine, the GDPR prohibits having/including in the supply chain a company that doesn’t meet the requirements.
According to PwC survey, 54% of US companies consider the preparation for the GDPR to be the highest priority on their data security and privacy agenda, while another 38% said GDPR readiness is one of several top priorities. And only 7% reported that it isn’t the main priority.
For Belarusian IT world it means that companies that don’t comply with the regulation will definitely lose many European customers, as well as clients from other countries that have decided to be certified under the GDPR or work with personal data of EU citizens.
On the other hand, if you timely prepare for the GDPR and pass the certification, you’ll get an undeniable competitive advantage and exclude any anxiety related to fines.
Also, you’ll ensure full user data security, which is one of the main requirements for developing quality mobile and web applications.
Territorial effect of the regulation
As mentioned above, the regulation covers all IT companies regardless of their legal address outside the EU, since it has an extraterritorial nature.
So, any organization that stores or/and processes personal information about EU citizens within EU states have to meet GDPR requirements, even if it doesn’t have a business presence within the European Union.
Criteria for organizations to comply are:
- A company has a presence in an EU country.
- A company has no presence in the EU but collects and processes personal data of European citizens.
- A company has more than 250 employees.
- A company has fewer than 250 employees but data processing may affect or affects the rights of EU residents.
A simple and most common example is: a Belarusian app development company with no registration in the EU launched a mobile application using a geolocation and requiring user authorization through email or account in social networks.
The app is published in the App Store or/and Google Play, available for downloading in EU countries, and uses a server leased in Russia. Though neither company nor its capacities are in the European Union, and personal data of EU citizens is used, the company must comply with the regulation’s requirements.
Also, even if the company doesn’t process user personal information, it can be processed by the end customer, for whom you’ve developed the product.
The GDPR protects the following types of personal data:
- Basic identity information (name, gender, ID numbers, etc.)
- Web data (location, IP address, RFID tags, cookie data)
- Biometric data
- Political opinions
- Sexual orientation
- Racial or ethnic data
- Health and genetic data
Find out how to prepare for the GDPR, including regulation rules, requirements, and preparation stages.
Top comments (0)