European Union has long hands and its proven once more that pretty much all the "big" companies are all equally susceptible to punishments if we fail to adhere to their rules and regulations. One such regulation is the GDPR-General Data Protection Regulation. And the sole reason why most of the big companies had to report their data vulnerability, breaches within 72 hours. Actually, GDPR is more than that, but let's take a quick glance at what it does.
This seems to be the slogan for multiple social causes this year. From Women's rights to #MeToo movement to #TimesUp to data security. For companies online, here's what it means - in your interaction with your customers - your terms of consent must be clear, consent is to be freely given and withdrawn at all times. Remember "terms apply" mandatory statement that would be recited in fast forward mode - "Mutual funds are subject to solicitation, please read the offer documents carefully before investing". Well, not anymore. And similarly, the companies online can't confuse their customers with ridiculous language, it has to be clear and straightforward.
If the data has been compromised, then companies are liable to notify the customers and stakeholders, within 72 hours. There is even a GDPR data controller if the organization is a large enough to require one. And the failure to report such breaches within this timeframe will lead to massive fines.
If the existing users are requesting to see their profile so far, the companies must oblige. With a free detailed e-copy of the data you've collected about them. Not only do they get to see the different types of data they have, but are also required to reveal the ways of using this information.
It's simple, once the user's engagement with the company is over, they have the right to ask the company to delete their profile completely. It's called the Right to be Forgotten.
Just because the company has collected it (painstakingly) with consent doesn't mean they have the sole right for information. Of course, the customer has the first right, but the company can't stake a claim as the customer can use the information collected, analysed by the company anywhere else as well. As in, if the company decides to go to the competitor then the competitor can acquire the information if the customer requires it.
GDPR is making companies redo their design or is ensuring that the companies design their data collection keeping data privacy and security as priority.
Based on the size of the company, there will be a requirement for appointment of GDPR Data Controllers and Data Protection Officers.
So, this is GDPR, time to run that Data Security Check. Looks like EU is watching!