GDPR is coming – Don’t Panic.

  • IBM

Right now you’re probably bombarded with information about the imminent General Data Protection Regulation (GDPR) legislation from May 2018. The good news is that there’s little change from the current data Protection act (DPA) that is overseen by the Information Commissioners Office. So, if you’re compliant to current law then the adoption of a pan EU GDPR legislation shouldn’t require too much effort.

We’ve seen reports of the failure to comply with GDPR legislation could result in fines of up to 4% turn over. The ICO’s own record of successful fines has seen a steady increase is 2015. The reality is, there’s still a huge amount of ambiguity around the legislations governance and implementation.

DPA guidelines was proven to be applied to many cases where personal data was compromised such as Talk Talk and Sony and yet, such measures, failed to protect personal information from being ‘lost’ to theft but, the fact they adhered to DPA guidance prevented severe corporate penalties from being issued. GDPR aims to make the collection and storage of personal data a board room issue, where organisations need to prove they act in a responsible and prudent way.

Current ICO GDPR guidelines offer¬† a 12 step process to preparing for the new legislation. The guidelines are straightforward and offer a high level view of how training and policies need to adopt the new law. There’s a number of key changes to current DPA law, the biggest by far is the introduction of ‘Individual rights’ to data held by an organisation. The adoption of GDPR by our local governing body (the ICO) means that every organisation will need to demonstrate compliance to these new laws.

Individual rights
GDPR will give the following rights to individuals

  1. the right to be informed
  2. the right of access
  3. the right of rectification
  4. the right of erasure
  5. the right to restrict processing
  6. the right to data portability
  7. the right to object
  8. the right not to be automated decision making and profiling

Clearly, such individual rights will change the way organisation manage data collection, consent approval and any internal data use policy. These new individual rights put responsibility on the organisation to adhere to any of the demands that an individual could make of it. Let’s put it another way; at any time an individual can call and request what information you have of them, how you use it, where you use it and from this they have the right to be removed or restrict its use. These rights will be upheld by the ICO on complaint.

For organisations who maintain a centralised view of their client data, through a CRM or ERP application, this should not be too difficult to manage. However, for organisations with multiple data sources, this could be the time to aggregate applications and seek new consent for use of personal information.

These new righst have led GDPR to suggest the appointment of a data officer who can take on any of the above requests. For many this would be the individual who has overall CRM responsibility.

Under previous data privacy laws ‘presumed consent’ was an accepted part of an individual submitting their information. GDPR changes that. The ICO will need to see proof that an individual has agreed to you using their information and that you’re able to comply to their individual rights.

Trust is an increasingly important value that many consumers and businesses place in their buying decisions. It’s therefore important to place emphasis on your guardianship of personal information as a competitive advantage. Consumers and businesses will have more trust in your brand as a result. To that extent GDPR could be seen as a marketing opportunity

Children
If you are in the business of collating, managing and storing Child data GDPR will affect you more than most. GDPR compliance will require parental or guardian consent for data processing activity. This will place new emphasis on social networking organisations to reveal to parents and guardians exactly what information is being obtained, how it’s being used or shared. This may result in more stringent sign up procedures, which many parents will be in complete agreement with.

Data breaches

GDPR insists upon adequate monitoring and reporting procedures that can detect any data breach. Some organisations need to notify the ICO of any data breach already, however, under GDPR all organisations will have to report to their local information regulator. Any governmental investigation can be painful, so prevention is better than cure. Whilst you can never completely prepare for a data breach (most happen from an internal member of staff!) you can demonstrate you have adequate firewalls, encryption, user access control and reporting flags. This leads quite neatly onto the need to carry out Data Protection Impact Assessments.

Data protection impact assessment

To make ‘Data breaches’ tangible GDPR compliance require that individuals can demonstrate they have carried out a Data Protection Impact Assessment (DPIA). Typically DPIA is required when personal information is put at risk; for example the deployment of new technology or where significant profiling needs to take place that could affect the rights of the individual. In these situations it may be necessary to seek consent.

What next?

GDPR will become law from the 25th of May 2018. That leaves 5 months to review your current data use as well as the consent you have obtained to use it. It may be necessary to inform your current customers and marketing subscribers of their rights under GDRP and how you plan to comply, in order that you can gain their future consent.

Every organisation will be affected by the law in different ways, depending on the data you currently manage and how you intent to use it going forward.

Demonstrating you are able to comply with individual data rights and have adequate policies and procedures to protect the data you manage is at the heart of GDPR. With data breaches almost being a daily occurrence, the future consumer will take their data use a bit more seriously. By proving to them you comply and take it just as seriously may give you the competitive advantage you need.

How can we help?

We look at data management from an IT perspective. If you’re concerned that your current systems are not able to comply we can assess your position and provide you with a way forward. Our experts work with many of the world’s leading banks and government organisations to ensure data is stored compliantly and has the relevant consent for use.