Preparing for the General Data Protection Regulation
In the wake of the WannaCry cyberattacks, being vigilant and careful with online security, particularly where it pertains to individuals’ personal data, is more relevant and crucial than ever. There can be no hiding from the fact that cybercrime poses a very real, very serious, and potentially catastrophic threat.
If this weren’t reason enough to tighten your attitude to your customers’ personal data, the EU will soon be ensuring that you do so. There is now less than a year remaining the EU General Data Protection Regulation (GDPR) replaces similar data protection directives the EU implemented in 1995. By 25th May 2018, your company must be fully compliant.
Penalties
With the hefty fines that failing to adhere to its rules will bring, as well as the ethical issues, can you afford to ignore these rulings? The EU states that organisations in breach of GDPR will be liable to fines of up to 4% of their annual global turnover, or €20 million – whichever amount is greater. Not all breaches will be penalised to this degree, though, as a tiered approach is being taken to these penalties. For example, failing to have your records in order, which would constitute a breach of Article 28, will result in a 2% fine.
Consent
The first thing to bear in mind is that your approach to customers’ consent might have to shift completely. Wordy terms and conditions filled with legal jargon and hidden a few clicks away will no longer suffice. Instead, your privacy policy needs to be clearly visible and expressed simply. Anybody giving you their details should be certain of why you are collecting their data, and how it will be used in your hands. Telling them it could be passed onto a third party will not be enough either, as you need separate, express consent in order to share their details.
For the EU to recognise that you have obtained your customers’ consent to receive and save their personal details, this consent will have to be specific, informed, and willingly given through affirmative action, like ticking a box or providing a signature.
Organisations won’t need express consent for all forms of direct marketing, though. If you are certain that you can prove an individual has legitimate interest in the information you are sharing with them, you can still get in touch without their direct permission. Of course, you will have to express a clear and easy way to opt-out of all contact – opting out must always be as simple as opting in.
Individuals’ Control Over Their Own Data
The GDPR places a strong emphasis upon every individual’s right to get confirmation from organisations about whether their personal data is being processed. If it is being processed, they should also be granted access to information regarding where exactly it’s being processed, and why. If a ‘subject access request’ is issued by an individual, organisations will have to provide an electronic copy of its record of the individual’s personal data, free of charge.
Moreover, if the individual is displeased with the data that an organisation has regarding them, for any reason, they have a Right to be Forgotten, also known as Data Erasure. This means a person can demand that their data be totally wiped from an organisation’s records, that the organisation ceases to share his or her data, and potentially that third parties stop processing his or her data, too.
Conditions for the Right to be Forgotten are outlined in Article 17, and include the data not being relevant to the purposes for which it was originally processed, or the subject simply withdrawing his or her consent.
Managing the Data You Have
As well as making sure that you are not defying individuals’ Right to be Forgotten, you need to be sure that the data you have on record is accurate and updated, as not having your records up to date can result in a fine amounting to 2% of your organisation’s annual turnover.
Article 23 also specifies that you must only hold and process data which is absolutely necessary for you to complete your duties.
Be Vigilant and Proactive if Things Go Wrong
Organisations will have to give notification of any data breach that might occur. You will also need to inform your customers of the breach. Your reaction times need to be quick, too, as you only have 72 hours from the moment that you become aware of the breach.
You Will Probably Need a New Co-Worker
Many organisations will be required to appoint a specific Data Protection Officer. Exempt from this requirement are any organisations which do not require regular and systematic monitoring of data subjects on a large scale, process special categories of data, or process data regarding individuals’ criminal records.
For any organisations which do handle such data, a DPO will be mandatory. This DPO can either be a member of staff or an external service provider, but must always be appointed based on their professional qualities and knowledge of data protection. They must also report directly to the highest level of management within the organisation.
In general, DPOs have to be appointed by public authorities, organisations engaging in large scale monitoring, or organisations processing sensitive personal data of many individuals. Specifics are given in Article 37.
Brexit
A lot of you might be thinking that all of this is made redundant and irrelevant by the fact that your organisation is based in Britain and will therefore soon not fall under EU regulations. Of course, the terms of Brexit remain as unclear of much of the country’s future – at least for the next week.
Still, this does not mean that you can afford to dismiss these new regulations.
If you process any data about EU citizens in EU countries, selling goods or services to them, then compliance to the GDPR is mandatory.
If your organisation operates solely within Britain, then the lines are not so clearly delineated for how you will have to adhere to the GDPR. However, the EUGDPR page clearly indicates the likelihood that the UK Government will adopt the GDPR or implement its own very similar regulations
Protecting your customers’ data has always been crucial, particularly in establishing and maintaining a trustful relationship with them. But now it is going to be more valued, and more closely scrutinised, than ever before.
Make your terms and conditions clear, provide obvious links to allow individuals to simply opt-out or request the information you have stored regarding them, and take care to strengthen your online security. It is simply not worth taking risks when it comes to cybersecurity, for your organisation’s sake, and for your customers.
To look over the changes which the GDPR will bring, review its website here: http://www.eugdpr.org/key-changes.html