The General Data Protection Regulation (GDPR) is a binding act which becomes enforceable as of 25th May 2018. It is a single set of unified regulations across the EU.
GDPR regulates how businesses and individuals can gather, store, use and eliminate people's personal data. Until now all EU member states had their own separate laws around processing personal data so this will create stronger and more uniform laws across the EU. Its aim is to provide better protection for individuals around their privacy and personal information. GDPR positives
Undoubtedly this means a lot of change and of course cost to business. But GDPR makes sense. Whilst the policy itself contains a lot of detail, which can feel overwhelming, it is there to ensure that businesses are processing data in a transparent, ethical and secure way. Weeding out unscrupulous practices benefits everybody in the long run and the improved trust that will be created should drive better, more profitable customer engagement.
And it will force organisations to get their houses in order. With serious fines (4% of global turnover or 20m euros) for non compliance it is driving businesses to take a strategic approach to data management, and treat data as the crucial asset it is in this digital age. Who is affected?
GDPR affects any business that is storing personal data on customers, prospects or employees based anywhere in the EU. So regardless of Brexit GDPR is going to affect UK companies doing any form of business with the EU market. What do businesses need to do differently?
Businesses will need to make a number of changes to their processes around data collection and processing, here are some of the key obligations:
Keep calm - it's just best practice!
- Consent to collect and process data must be explicit not implied. Consent must now be obtained via a clear statement or affirmative action from individuals agreeing to the processing of their personal data. Pre-ticked opt in boxes and the like will no longer cut it.
- Data gathered must be freely given, not for example under the duress of not being able to access your services.
- Businesses must be able to account for how and why they hold data. They will need to demonstrate good justification for retaining data to ensure compliance with data privacy and the rights of the individual.
- Businesses must be able to share what data they are holding on an individual, if requested, and must be able to provide their personal data in a commonly readable format to enable data portability.
- They must also erase all personal data if requested to do so by an individual wishing to exercise their "right to be forgotten".
- And they must report any breach to the relevant data protection authorities, in the UK this is The Information Commissioner's Office (ICO). In the event of any breach they may be asked to show how they were securing data.
Whilst there is a lot more detail that underpins the various obligations our advice for businesses is to not get too overwhelmed by the legalese or view GDPR as a negative. The requirements of GDPR are really just best practice and overall good data hygiene. From an information security perspective the following should all be part of your process.
- Understand what data you are holding and why.
- Know where and how the data is stored.
- Understand who in your organisation has responsibility for it.
- Encrypt any data you wouldn't want to be disclosed using industry standard encryption.
- Ensure that your employees are generally cyber security aware. Around 16% of breaches are caused by human error but with awareness and training your staff can be a defence rather than a weakness.
- And of course, build your contingency plans - know what you need to do in the hopefully unlikely event of a breach involving data loss.
Hopefully you are well on the way to being GDPR ready by now but if you don't feel you're on track for May 25th we strongly recommend seeking external support. There isn't a one size fits all approach and with no case law or precedent on which to base recommendations it can be hard for companies to judge what measures are appropriate for their business. And "overdoing it" can be crippling to budgets and resource.
PEPCO's category experts and specialist partners help organisations reduce costs and create efficiencies and process improvement. We have a number of partners who offer specialist legal advice around GDPR, access to GDPR workshops and cyber security reviews to include GDPR compliance. Please contact us if you would like to arrange an introduction. N.B. This article is for information only and should not be considered any form of legal advice. Businesses are encouraged to seek appropriate professional advice to ensure they understand the commitments of GDPR as it applies to their specific operation.