Data collection and management is being given a shakeup with the introduction of the General Data Protection Regulations, also known as the GDPR. Due to come into force on the 25th of May 2018, what does your business need to do to ensure you are ready for its arrival?
What does GDPR mean?
GDPR stands for the General Data Protection Regulation.
Who created the regulations?
Back in 2012, the European Commission laid out a strategy to create a better standard of data management legislation to bring Europe up to speed with the current highly connected era. Finally, in 2016, parties reached a consensus on what a new set of regulations will cover and how they will be monitored and how violators will be prosecuted.
The General Data Protection Regulations represent the culmination of these efforts in data reform. After the 25th of May, this new set of regulations will govern all businesses and organisations across the European Union, as well as EU-based businesses which have dealings with businesses or organisations beyond the borders of Europe.
What do the regulations cover?
The General Data Protection Regulations are an entirely new framework which empowers citizens and residents of the European Union with more rights when it comes to the collection, use, and security of their personal and sensitive personal data.
The goal of the GDPR is to streamline the data management sector, which will make it easier for businesses to trade across borders without infringing the rights of citizens on either side. As a result, it is anticipated that citizens will further enjoy the current digital age without the increasing worries that their personal data may be compromised or used in unapproved ways.
Our lives are increasingly linked with our online presence and every interaction and action we take leaves a digital footprint that a business can harness and use for its own gain. The breadth of places for data to be collected varies from social media sites to online banking, online stores, and even branches of government departments that offer services online.
When you think about it, your unique identifiers could potentially be anywhere, and this fact represents a risk. From your given name and family name to your residential address, your bank account number and credit card number, to sensitive data such as your religious affiliation or sexual orientation, it is possible for all these data classes to be stored by various organisations without your prior approval.
The General Data Protection Regulations provide confidence for the consumer that their data if it is collected, is used only in approved means. As a business owner, you must comply with every criterion set out in the regulations, and as a consumer, it is your right to ensure each business or organisation you engage with follows suit.
Complying with General Data Protection Regulations
It is not out of the ordinary for breaches of data to strike even the most expertly managed data collecting business. The problem with data breaches is that client data can fall into the wrong hands, meaning clients could become victims of fraud or technology hacking.
The General Data Protection Regulations require all organisations to make sure all client information stored is obtained through legal means and through a process that meets a checklist of approved methods.
Also, employees or staff who handle data are required to ensure the security of the information. This will prevent information from being used inappropriately as well as reducing the likelihood that data will be exploited, such as through the selling of client data for direct marketing lists.
If businesses fail to act in a manner that respects the rights of individuals, they will face severe financial repercussions as laid out in the GDPR.
Universal application
All businesses and organisations that function within the European Union are required to comply with every regulation laid out in the GDPR. Also, all entities which trade with either businesses or clients in the European Union are required to ensure their data management complies.
This has been confirmed by the United Kingdom’s Information Commissioners Office, that all businesses, organisations, and individuals will be liable to a greater degree for any potential data breaches or mismanagement considering the GDPR.
The General Data Protection Regulations make it clear there are two different types of entities that deal in data, known as processors or controllers.
- Controllers
According to Article 4 of the GDPR, a controller is a ‘person, public authority, agency, or other body which, alone of jointly with others, determines the purposes and means of processing of personal data.’ This can be understood to refer to your business as it acts to obtain and control client information. According to the GDPR, controllers are required to ensure all contracted processors comply with the regulations as set out.
- Processor
According to Article 4 of the GDPR, a processor is a ‘person, public authority, agency, or other body which processes personal data on behalf of the controller.’ This can be understood to refer to any third-party entity which has access to your organisation’s client information for the purposes of providing data services. The GDPR places a heavier burden on processors when it comes to adequate records management, as this information will be required in the event of a breach.
The definition of personal data
Personal data as defined by the GDPR include a client’s name, residential address, and any images associated with that person, such as submitted ID photos or treatment photos. In addition, the GDPR goes beyond previous definitions to include the users IP address in the definition of personal data, making it even more important your website is secure.
Going beyond personal data is sensitive personal data, which is comprised of a more delicate category of identifying characteristics. This includes biological information, such as genetics, biometric data, such as fingerprints, and other personal data such as gender, sexual orientation, religion, and political affiliation.
Looming deadline for compliance
As the GDPR comes into force from the 25 May 2018, it is mandatory for all existing businesses to meet the required criteria to become compliant. Any businesses found to be acting against the regulations as of or after the date specified run the risk of paying substantial penalties as well as being forced to take immediate remedial action. As a result, active preparation in the coming weeks is the best strategy to ensure your business meets all the requirements.
What about Brexit?
The United Kingdom is on course to exit the European Union as of the 29th of March, 2019. However, GDPR will still be enforced in the UK regardless of the country’s exit from the Union.
If you operate a business in the United Kingdom and you think the GDPR will not apply to you, you are wrong. You are still required to become compliant as of the deadline, and you will still be required to maintain compliance long after Brexit occurs.
Immediate implications for business
While placing an immediate burden on businesses who may need to get up to speed with compliance in a short time frame, the GDPR is a beneficial change for business as it creates one law to govern the entire continent.
According to the European Commission, there are many benefits to having data legislation controlled by a single entity. With more transparency, it is much easier to move into new regions without worrying about the specific demands of each area.
It has been predicted the GDPR will save €2.3 billion every year across Europe, adding up to big savings for business continent-wide. However, as the legislation governs all businesses that interact with the European Union regardless of their origin, this means that some international companies or smaller sized companies that export into EU will have to become aware and act on getting compliant.
Boosting innovative ideas
With the focus heavily on preventative action, the regulations have been touted as a vehicle to promote further innovation across Europe. It is hoped this change will start a positive flow of safer, well-designed products and services that are conceived with the philosophy of the GDPR in mind, putting customer data and customer rights at the forefront in the future.
One innovative idea that has already been promoted as a result is pseudonymisation, which is a data management technique which does away with information which can be used to personally identify clients, instead assigning individual clients with a pseudonym. In this manner, data can be analysed without any risk of privacy breaches or misuse, as the client’s identity is fully protected throughout the process from beginning to end.
Implications for consumers
Consumers and citizens should welcome the news of the GDPR. It is rare to hear of an individual who has not been affected one way or another by information breaches, privacy breaches, or hacking.
Most people have had at least one or two key pieces of information leaked out unwillingly, which can present a problem if it is a crucial piece of data, such as a credit card or NHI number.
The GDPR helps resolve these issues by empowering consumers with the right to know as soon as a data breach occurs. This is in stark contrast to the past, where many businesses tried to minimise or in some cases actively worked to hide the breach, to protect their reputation and save themselves the hassle of having to deal with customer complaints and subsequent data management follow up tasks.
The first thing the regulations require businesses to do is inform appropriate contacts of instances of data breaches. This is to ensure citizens are empowered to act in response to ensure the safety of their personal information and assists in making sure they can reasonably prevent the abuse of their data.
Most importantly, it acts as a tool for customers to judge whether they wish to engage in a business suffering from one or many breaches in the future. You would not be likely to trust a business that suffered from continual breaches, which makes this information invaluable.
If you do decide to continue engaging with a specific business, it is important to know exactly how that business uses your data and this extends to the knowledge of how this data is processed. In addition, businesses are required to explain all their processes in a way that customers can comprehend.
Often, businesses seeking to act in malicious ways use overly wordy explanations to disguise their real intentions. Under the GDPR, businesses are expected to use plain language that a reasonable person could understand with little difficulty.
Expect an opt-in
For businesses to determine who to contact, they will need to expressly ask clients for their consent for future communications. This could be as simple as asking clients to opt-into a database by asking them to tick a box to indicate yes or asking them to fill out a form the next time they are present in your office.
In addition to providing opt-ins, businesses need to make it easy for customers to exercise their right to opt-out of communications. Rather than hide this feature, as some businesses have done in the past, your business needs to highlight this is, in fact, an option that customers have the right to choose.
Customer right to delete records
In the past, the rights of the customer to request the deletion of held records was murky territory. Under the GDPR, the customer has the right to remove their information from your records, as long as there is no legal obligation for you to maintain that file, then you should comply with the request with efficiency. Failure to do this will result in your business acting against the regulations, which will result in a penalty.
All about breach notifications
Under the GDPR, the onus is on all organisations, businesses, and individuals to provide notification of breaches as soon as they occur. This is known as breach notifications, and they are a required part of regulation-meeting data practises.
Those reporting breach notifications are also obligated to inform clients of the breach directly and swiftly, to empower the customer to take action as they see fit. In addition, organisations are required to create breach notifications on any breaches that have the potential to cause significant harm to individuals.
Significant harm could arise from a data breach that involved highly-sensitive data and can involve anything that may reasonably lead to discrimination, reputation damage, monetary loss, a breach of strict confidentiality, or any other issue.
Hackers are dealt with in a category of their own. Due to the severity of hackers’ impact, the organisation will be required to inform all parties that hacking was involved. This is important in the case of potential economic damage as early warning of malicious intent can protect consumers from further losses down the road.
Due to the severity of these circumstances, it is inappropriate for businesses to communicate via a standard press release – as some organisations have been known to do in the past. Under the GDPR, businesses are required to communicate this knowledge to customers directly, for all potential victims to become aware of the severity of the breach.
Creating breach notifications
In addition to outlining the way breach notifications occur, the GDPR also outlines what information is to be included in a breach notification to ensure it meets the requirements of adequate communications. This includes:
- Detailed information about the nature of the breach.
- The categories of information the breach relates to.
- The number of individuals whose data was compromised.
- The number of personal data records which were compromised.
- A thorough explanation of potential issues arising from the breach.
- A thorough description of the actions that have been taken and are being taken to manage the breach.
- The contact information for the person managing data in the organisation.
Timely breach notification management
A delay in notification can result in further economic damage; it is expected that organisations report their breach notifications in a maximum of 72 hours following the realisation of an event.
The realisation of an event is a logical choice, as sometimes companies do not become aware of problems instantaneously. But what this does mean is that when a company is notified, they are required to act fast. If victims are potentially involved, then the entity has an obligation to inform them as quickly as possible, to allow them to assume their own rights over the situation.
Heavy penalties for non-compliance
Under the GDPR, the financial penalties are severe. Fines range from anywhere between 10 million euros up to a maximum of four per cent of the company’s revenue, which for large companies can run into the billions.
Each penalty is calculated according to the severity of the breach and is determined after taking the company’s data management approach into account. Lackadaisical methods will not be tolerated and will result in a higher monetary penalty being applied if the severity warrants it.
Most serious breaches
While all data breaches are considered serious, some are more severe than others under the GDPR. These include:
- Infringements on the rights of the individuals whose data is held.
- Unauthorised international transfer of personal data regardless of whether it was for profit or not.
- Failure to establish adequate procedures for managing client data safety.
- Actively ignoring access requests from individuals as is their right.
Moving forward with compliance
As the deadline for compliance looms, it is imperative businesses of all sizes prepare by first auditing their data collection and management processes and then design for the new citizen-empowered era. With preventative action, your business will be running in compliance in no time at all and your customers will be safe in the knowledge they can trust you with their custom now as well as in the future.