If a customer (consumer or business) asked you for their personal data to be erased from your database, would you be able to act? Here, in this issue of Sussex Business Times, Richard Newell warns how your business must be ready for GDPR – and the clock is ticking!
What is the GDPR?
It’s the General Data Protection Regulation; a UK/EU Law, intending to combine and strengthen Data Protection within the EU & UK (BREXIT doesn’t affect it).
It’s all about giving the power of data back into the hands of the ‘Subject’ (consumer) & not allowing businesses to bombard them with emails, direct mail or SMS messaging or telephone without their prior consent – and businesses must prove they have that consent, showing when & where they acquired it.
This law was made 27th of April 2016 and will be enforced from the 25th of May 2018, giving businesses now a narrow time frame to adapt to the changes.
The GDPR will cover all countries that process or hold the personal data of UK/EU citizens, whether that country is a part of the EU or not.
Most important changes
All businesses must have a ‘legitimate business interest’ as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and the data subject, (consumer).
Consent must be clean and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Parents will be required to provide consent for the personal data of children under the age of 16 for online services; member states may legislate for a lower age of, but this will not be below the age of 13.
Multinationals will benefit from a one stop shop, where the Data Protection Authority (DPA) in the member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by the controller or processor.
GDPR will require increased compliance, training and the use of Privacy Impact Assessments (PIA’s). Data Subjects will have enhanced rights, such as the ‘Right of Erasure’, ‘Right to be Forgotten’, ‘Right to Portability’, and the ‘Right to Control Profiling’.
Data processing agreements between Data Controllers and Data Processors will be required to contain extensive mandatory data protection clauses; such as the controllers right to audit its processors, and obligations on processors to assist with subject access request and personal data breaches.
Organisations will be required to maintain a record of ALL their data processing activities, which must be made available for inspection. Codes of Conduct and Certifications will be developed to assist data controllers and processors to demonstrate their compliance with the GDPR and to legitimise international data transfers.
Organisations whose core activities consist of processing operations which require regular and systematic monitoring of individuals on a large scale or of special categories/criminal related data, will be required to appoint a Data Processing Officer.
Data Breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and affected individuals without undue delay. Fines of up to 4% of annual worldwide turnover or the preceding annual year or EUR 20 million may be imposed for negligent non-compliance.
How to deal with the GDPR
One of the easiest ways to prepare for the GDPR is to ensure that you are compliant with the new Regulation – this can be done through an Audit of your present systems, either through employing an external compliance auditor, who will provide an assessment of your business, or through making sure that you have a Data Protection Officer as soon as possible to assess the processes and systems to test for compliance.
As technology changes, so must the legislation. Whilst the GDPR may make some processes more difficult for many businesses; it is a necessary step that must be taken to protect the ever-growing amount of personal information that is available online from people who could use that data for harmful purposes.
A recent privacy survey was carried out by DELL to 821 IT professionals. It found that 80% knew little or nothing about the GDPR, while a massive 97% said their companies don’t have a plan in place to implement the new law. Less than one in three companies feel they are prepared for GDPR today