GDPR (General Data Protection Regulation 2018): Are you Compliant?
So you’ve launched your new snazzy app with its cool new functionality, and you’re ready to harvest all that lovely customer data. Oh the insights and the marketing opportunities that will emerge from this data goldmine! Kerching!
BUT HANG ON A MINUTE. LET’S THINK ABOUT THAT PERSONAL DATA FOR A SECOND.
Do you know how it will be collected, recorded and stored? Do you know where it will be kept and how it will be protected? Are you confident that you’ve obtained permission to use that data in a lawful way? Are you confident that any subcontractors who handle this data will do so responsibly?
Because there’s this rather big thing looming on the horizon and it’s going to change the way most of us do business - the European Union’s General Data Protection Regulation (GDPR).
It comes into force in May 2018 and replaces the UK’s Data Protection Act 1998. That deadline may seem a long way away, but it isn’t.
The scary part is that failure to comply could result in fines of 20 million euros or 4% of global turnover, whichever is the greater. Could your business survive such a fine, not to mention the reputational damage?
But the exciting part is that GDPR is also an opportunity to show how professional and responsible you are when it comes to protecting your customers’ data and privacy. It could be a marketing opportunity.
As the Information Commissioner’s Officesays: “Good information handling makes good business sense”.
So, how will it affect us and what should we be doing to prepare?
GDPR IN A NUTSHELL?
This is the EU’s attempt to harmonise personal data protection laws across Europe. It sets down rules for how organisations should collect and process personal information, and is primarily designed to give more control to citizens over their personal data and how it is used.
Basically, organisations need to keep records of all personal data and show where it’s going, what it’s being used for, and how it’s being protected.
So what are main changes?
The definition of personal data has been extended to include extra categories such as your computer's IP address or your genetic or biometric signature - anything that could be used to identify you. It’s no longer just names, addresses, contact details and so on.
Another main change is a new principle of accountability - you must be able to demonstrate how you are complying with the new rules.
And there are new definitions for the lawful bases under which you can process personal data. The lawful basis you choose affects the rights of the individuals. For example, if you seek consent to process someone’s data – and this isn’t always a requirement - it must be explicit. No more default opt-in tick boxes.
OK, what should we do first?
Get a grip on your data. A surprisingly large number of companies don't really know what data they hold on their customers, where it is or even how it is being used. So, a fundamental data audit should be your top priority – and you need to keep detailed records under the new “accountability” principle.
And if you already have policies stipulating who has access to different classes of data, don’t assume that these policies are being followed. There’s plenty of survey evidence out there suggesting that staff often ignore them, or don’t even know about them.
And with the ability staff now have to store work documents on smartphones and laptops in potentially insecure cloud-based services, customer data that you’re meant to be protecting could be anywhere. That’s a security nightmare.
IS THIS JUST SOMETHING IT CAN TAKE CARE OF?
No. Data protection isn’t an IT issue, it’s a business issue, and everyone in the business needs to be aware of what’s going on and how important this is.
Most GDPR experts agree that you’ll stand a much better chance of success if you appoint someone – preferably at board level – to take specific responsibility for this. Because after your data audit, you may find that the changes you need to make are more sweeping than expected. This is digital transformation, not just cybersecurity.
For example, would you know what to do if a customer made a "subject access request", demanding to see what personal data you hold on them and whether it’s accurate? Would you have the resources to handle possibly lots of such requests? How would you ensure that personal data was properly deleted under a “right to be forgotten” request?
What about subcontractors?
If you share your customers’ personal data with a third party you can’t just assume that they’re going to look after it properly – you must show that they are compliant with GDPR as well. So lawyers are warning that lots of contracts will have to be redrawn and renegotiated as a result.
But doesn’t Brexit mean this doesn’t apply to us?
Er, that’s a big no. Although the GDPR applies to data processing carried out by organisations operating within the EU, it also applies to outside organisations offering goods or services to EU citizens. So if you want to trade with EU citizens and companies, you’ll have to abide by the same rules. It’s a simple as that. And the UK government has confirmed that the decision to leave the EU will not change this.