You may have recently gotten an influx of emails from your mobile phone provider or your favourite online shopping stores about changes to their data protection policies and how they affect you. Or you may have seen posters plastered around the workplace about being GDPR compliant before May 25th. As someone who works in the online security industry, I thought I’d share my thoughts on the complex matter of GDPR by breaking it down into more manageable chunks in the hope that it helps readers gain a better understanding of this regulation.
So, what’s all the fuss about? Surely this isn’t that big of a deal? And what’s the worst that can happen if I don’t comply? These are typical reactions when business owners and senior managers first encounter GDPR, or General Data Protection Regulations. Simply put, GDPR comes into effect on the 25th of May this year, and all Member States have been given a 2-year period to implement this into national law since ratification by the European Union in April 2016.
THE WHAT: Fundamentally this new regulation focuses on how companies manage their customer data, and it’s worth spending a few minutes to consider what constitute customer data. The data relate to any persons who can be identified directly or indirectly. While this may seem straight forward, this includes online identifiers, IP addresses and cookies (no, not the edible kind). Indirect information includes anything that can be linked back to a specific individual, so this is inclusive of physical, psychological, genetic, mental, economic, cultural and social identities.
THE WHO: Well, consent must be clear and affirmative, and you must have means of demonstrating that consent is given. Silence of inactivity does not constitute consent. Simply put, written consent must be clear, intelligible, and easily accessible; otherwise it is not binding. However, it’s not quite that simple as special conditions apply to those under the age of 16. This can be problematic for organisations as, if needed, they may have to update consent language and processes for obtaining consent from children. In addition to this, they may have to create processes to capture parental consent. Is this something that your business is prepared for?
Explicit consent must be given for processing sensitive personal data such as race, ethnic origin and gender. And this doesn’t just apply to the data that you hold – you must also consider the data that third parties that you’re working with are holding. As part of this exercise, it’s important to update all third-party contracts where part of this process will involve identifying all contractor relationships that require agreement revisions and updates accordingly. In addition, you must verify that third-party contractors can comply with GDPR privacy by design requirements.
THE WHY: The good news is that there are benefits that come with the introduction of GDPR being. It goes without saying that this is the biggest revamp in worldwide privacy rules since the min-1990s. GDPR will also bring uniformity to the way we think about data by having one single set of data protection rules throughout Europe. Because GDPR introduces better inspection and validation of stored customer data, this should result in companies having better engagement with their customers as only those who wish to be activity engaged with. More simply, individuals will have better control over who has the legal right to hold their personal data.
There are a number of consequences if GDPR isn’t implemented correctly. For example, the application of penalties for those organisations that cannot demonstrate legal justification for processing and holding data, or violations in terms of record keeping, can result in a fine up to 10 million Euros or 2% of gross global turnover of the preceding financial year. If you think that’s bad, this can be doubled for violations relating to lack of consent, data subject rights or cross-border data transfer!
THE HOW: To become compliant businesses must look to implement appropriate technical and organisational measures in relation to the nature, scope, context and purposes of handling and processing of personal data. Data protection safeguards must be designed into products and services from the earliest stages of development; this includes 1) the encryption of personal data, 2) ensuring confidentiality, integrity, availability and resilience of systems, 3) restoring the availability of, and access to, data in a timely manner following a technical incident, 4) introducing a process for regular testing and 5) assessing and evaluating the effectiveness of these systems. Furthermore, data obtained must be for specific, explicit and legitimate purposes, individuals must be able to withdraw this consent at any time and have the right to be forgotten and if the data is no longer required for the reasons it was collected, it must be erased.
The good news is that some of these requirements are relatively easy to fulfil; however, the key thing is to take actions and to not hide under the radar in the hope that you won’t get noticed. Penalties will apply to organisations that try to get away with it – so make sure you’re not one of them and become GDPR compliant, today.
