In today’s world, with the constant technological advancements and the increase in the additional uses of personal data through e-commerce, online searches and video streaming, it is expected that privacy and data protection will face new challenges. Although there have been a number of frameworks developed in order to address the issue of data protection, the most notable is the General Data Protection Regulation, or GDPR.
What is the GDPR?
The GDPR has essentially standardized data protection laws across Europe and has afforded individual’s stronger rights to access and control their personal information. This progressive approach has led a number of countries to use the GDPR as guidance for how individual’s personal data should be handled. The GDPR has also had substantial effect globally due in part to its extraterritorial reach, which is triggered once any organization collects, controls, processes or stores any personal data involving European nationals.
The GDPR vs Bahamas DPA
The GDPR is often regarded as one of the most comprehensive data protection frameworks and so it is important to highlight some key similarities and differences with the Bahamas Data Protection (Privacy of Personal Information) Act (DPA).
In brief, both the GDPR and the DPA give consumers the right to access, the right to delete and the right to correct or rectify inaccurate data. They differ in that the GDPR explicitly requires notice and consent while the DPA does not. Unlike the GDPR, the Bahamas law does not require database registration, it does not make the appointment of a data protection officer mandatory and it does not restrict cross-border transfers. Nevertheless, while the DPA does not explicitly require these, it has provided non-binding guidance.
Recommendations for GDPR Compliance
As recent as 2019, Google was found to be in breach of the GDPR for failure to, among other things, provide adequate information to users about its data consent policies. It was fined over €50 million by France’s Data Protection Regulator. Though most of the fines imposed so far have been small, non-compliance with the GDPR can result in a fine of up to €20 million or 4% of the annual global turnover, whichever is higher, and fines of up to 2% of the annual global turnover for lower level offenses.
Here are three recommendations to help stay complaint with the GDPR:
Conduct regular audits and risk assessments– Under the GDPR organizations must conduct regular audits. This allows an organization to determine how data is collected, processed and retained. In order to prevent data breaches, it is important to minimize who has access to the data and the number of places that data is stored
Train and educate your employees– The GDPR stresses the importance of regular employee awareness training, and so it is important to have clear internal policies on data security and that the employees are well versed on the organization’s policies as well as the GDPR policies.
Generate an incident response plan– The GDPR states that all organizations must disclose any personal data breaches within 72 hours of detection. To comply with this an organization needs to have a plan in place that outlines the steps that will be taken in the event of a breach.
