GDPR: The Low-Down & What It Means For Businesses
The countdown is on until The General Data Protection Regulation (GDPR) will finally come into effect. Since the announcement in May 2016, businesses have been given a two-year transitional period, before it finally comes into force from 25 May 2018. A survey carried out by Dell in October of last year showed that 97% of companies don’t have any form of plan in place to prepare for the introduction of this new EU legislation.
What is GDPR?
The General Data Protection Regulation was designed in an effort to update the existing Data Protection Directive, which dates back to 1995. Since then our lives, both personal and work, have become more reliant than ever on the internet. Living in a digital world has transformed how we use, share and store information.
There isn’t a day that goes by where you probably don’t share your personal information online, whether you’re sending an email, purchasing products, paying a bill or sharing documents with colleagues and clients. Information on your IP address, online behaviour, banking details and social profiles are all stored digitally. This new legislation aims to give EU citizens, individuals, employees and customers, more power and control over their personal data. In turn, accountability for data compliance and security will be on businesses. The end goal is for greater personal control and protection of this information.
GDPR recognises that there is no distinction between a person’s information whether it be their public, private or workplace. For example, in a B2B environment where the customer and supplier are both organisations, the legislation takes into account the individuals involved in the process.
What Rights Does The GDPR Provide?
At its core, the GDPR is comprised of eight rights. These offer some new and some updates of the current Data Protection Directive.
1. The Right To Be Informed:
Companies collecting data are obligated to provide “fair processing information”. They can do this through a privacy notice, where consent is then clearly given. The privacy notice must be concise and transparent in their intentions, and easily accessible. If this data is accessed by an unauthorized third party, for example, loss of data or hacked, it is the organisation’s responsibility to inform the individual. If there was, in fact, a data breach and an individual’s personal information was compromised, the organisation has 72 hours to inform them.
2. The Right of Access:
Individuals have the right to gain access to their personal data at any time. They also have the right to ask how their data is being processed. If requested, the organisation is obliged to provide the information in electronic format, free of charge. However, the ICO state that “you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.”
3. The Right of Rectification:
This ensures that individuals can have data updated or corrected if necessary. If the data has been shared with third parties, it is the organisation’s responsibility to reach out to those third parties and inform them of the rectification. The organisation must also inform the individuals of the third parties with whom the data was shared.
4. Right to Erasure/To be Forgotten:
Allows individuals to request that their personal data be deleted. This may occur if the data is no longer necessary in relation to the reason it was originally obtained. The individual may also withdraw consent, or if the data was obtained unlawfully. Deleting this data must be permanent, not simply moved from an active database to an inactive one.
5. The Right to Restrict Processing:
If requested, the individual’s data may be stored but not processed. This means the organisation may retain enough information to ensure this restricted further down the line.
6. The Right to Data Portability:
This allows individuals to obtain their personal data for the purpose of sharing it from one service provider to another. Organisations must provide a safe and secure method for this transference of data. In the UK, there is a government initiative called MiData which promotes this practice.
7. The Right to Object:
Individuals have the right to stop the processing of their personal data for direct marketing purposes, or those of scientific or historical research. It is the responsibility of the organisation to clearly state this at the beginning of the communication.
8. Rights Related to Automated Decision-Making & Profiling:
Protects individuals from potentially damaging decisions that are taken without human intervention.
Impact of GDPR on Businesses
GDPR will impact all businesses operating within the EU, whether data processing occurs there or not. Non-EU businesses and organisations that offer goods and services to EU citizens will also be subject to GDPR legislation. If your business offers a free online service, but you collect IP addresses or track cookies, through form submissions, for example, you will still be subject to GDPR.
Perhaps the biggest challenge GDPR poses on businesses is the required detailed recording and processing of user consent. Compliance is moving away from box-ticking. When in effect, businesses and organisations will need to keep detailed and time-stamped records of when a user gave consent and how their data was processed.
This new process does not only affect the IT department, it encompasses both sales and marketing and how they conduct their activities. For example, traditional methods of collecting potential leads and business cards at trade events will become something of the past. New ways of collecting this customer information will now be required.
There must be traceable proof that the individual has given consent. It is no longer allowed that to provide a disclaimer or an opt-out option. Organisations must provide double opt-ins, to ensure full consent from the individual. If a marketing list has been purchased from a third party, the business or organisation using the list is still responsible for obtaining consent.
Moving forward organisations will have to ensure that the privacy rights of the individual are at the forefront of their product and service offerings. This is known as Privacy by Design.
Privacy by Design
It is an effort to make privacy a key component in the design and architecture of both IT and business processes. From the offset, any service or process that requires personal information from a customer must have the appropriate measures in place to protect their data and privacy.
Organisations must be able to show that the security measures adhere to an adequate standard and that compliance is monitored at all times. Every process that requires personal information should be designed with compliance at the core.
Privacy by Default
This means that once a customer acquires a product or service, the privacy measures are automatically put into effect. This personal information must only be kept for the amount of time that is necessary to provide the product or service.
Organisations and businesses alike will be expected to know what data they have on each person and where it is exactly stored. This won’t be too difficult if the data is stored centrally, however for organisations where employees store data on individual devices such as laptops and portable drives, poses its own challenges and risks.
If data is lost or stolen, organisations will have up to 72 hours to report it to the ICO. This report will require a full breakdown of the breach and a plan for how to deal with the incident. It may also be necessary to notify those whose data has been affected by the breach. If organisations fail to comply and protect the data accordingly, they may face large fines of up to 4% of global annual turnover or €20 million from the Data Protection Authorities (DPA). On top of this, individuals that have been affected will have the right to sue for both material and non-material damages.
How Businesses Should Prepare for GDPR
Privacy by design should be at the forefront.
1. Find all the sources where the data comes from
Audit and map out where all the personal data within in the business comes from and how it is processed. Document where that data is stored and who has access to it, and make note of all potential risks. Assess how easy it is for customers to remove consent or request their data to be permanently deleted.
2. Assess what data is important to the business
Ensure that customers are fully aware of why the business is collecting the data and that consent is clear. Only collect data that is of benefit to the business, delete the data that is not needed. In some scenarios, it may have a greater financial gain to delete information, rather than encrypting it.
3. Ensure appropriate security measures are in place
Assess where data is stored and processed. Ensure all the necessary precautions, security measures and a full plan of action are in place, should a breach occur. If storage is outsourced, it is important to have similar plans, and processes in place, as both parties are liable.
4. Outline appropriate measure for handling data
It is vital that businesses have established procedures in place in relation to each of the 8 GDPR Rights. For example; How will the individual’s data be deleted if requested? What is the full process to obtain legal consent from an individual?
GDPR may pose challenges to many businesses, so it is crucial that all the necessary components are mapped out and prioritised. Once in effect, however, this transparency will improve the relationship between that of the business and the consumer.