GDPR Compliance: Time is Running out
By Dominic Cooper on February 6, 2018 - Ecommerce Website, News, Startup website
You may have been vaguely aware of some important changes regarding privacy that are due to take effect in 2018. Well, the time to be vaguely aware has ended. If you haven’t started getting your staff and documentation together in preparation for the May 25th deadline, now is the time to get moving.
So What is This GDPR Thing all About?
GDPR stands for General Data Protection Regulation and its all about data – and privacy. It is an EU Regulation which means, unlike Directives, every EU nation has to implement it ‘as is.’
The overall spirit of the GDPR is about putting control of data back into the hands of the people to whom it belongs – you and me. This is great from a personal perspective but, if you’re a business owner, you most likely have a big job ahead of you.
The GDPR affects the transmission, storage and processing of data and can be split into four key areas:
Transparency and Access
Individuals will have the right to know who has access to their data, what it is being used for and for how long it is being kept.
Use and Deletion of Data
We will all look forward to a raft of enhanced rights when it comes to how our data is used. We can ask companies to delete data that they have about us. We can also object to the way data is used to make decisions about us (e.g. automated data-driven systems). Computer can no longer say ‘No!’
If data is lost or stolen, the breach will now have to be reported within 72 hours and individuals may also have to be informed depending on risk.
If you thought £500,000 was a harsh enough deterrent for contravening existing data regulations then you ain’t seen nothin’ yet. Fall foul of the GDPR and you could face a fine of up to €20,000,000!
Time to get moving?
How Does GDPR Affect Your Business?
Generally speaking, businesses of all sizes are going to have to treat data very seriously, probably more seriously than they have been.
They will need to know exactly how customers’ and employees’ data is being used, who is using it, where it is going and for what purpose. Data that is no longer serving a purpose will need to be securely deleted rather than left sitting on a server somewhere.
Businesses will also have to be set up to deal with subject access requests in a timely manner (they will have one month to supply the requested data after GDPR comes into force).
Of course, every business is different in terms of the type and amount of data they are in control of. However, a generic strategy for GDPR compliance can be useful for making a start:
A Basic Strategy for GDPR Compliance
Here are a few steps you can take straight away to begin the compliance process; more detailed information can be sourced for the Information Commissioner’s Office (ICO) at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Raising awareness of GDPR can take time, especially in large, widely distributed organisations. Start making employees, particularly decision-makers and those responsible for data processing, aware of the impending changes.
- You don’t know what you don’t know do you? Carry out a full data audit to identify what types of data you receive, what you do with it and where it goes.
- Review your privacy notices to ensure they contain clear info about who you are, , how you process data, the legal basis for your data processing and your policies regarding deletion. Make it clear that individuals can complain to the ICO if they need to report concerns.
- Check whether your current procedures are compatible with the new GDPR enhanced data access rights. If not, update them.
- Make sure you are in a position to respond to subject access requests. If someone demanded a copy of their data, could you get it to them within a month?
- What legal basis do you have for obtaining consent to use data? Make sure you are clear on this. Consent must also be freely given, specific and informed rather than assumed or hidden behind a pre-filled tick box.Do you process children’s data? If so, you need to have a process for age verification and for obtaining consent from a parent or guardian. Your privacy notice will have to present this information in child-friendly language.
- How do you currently detect, report and investigate breaches? Is this in line with your new responsibility to report breaches within 72 hours? Do you need to think about cyber security insurance? Some policies will cover any legal fees as well as the costs needed to report and respond to a cyber incident.
- Carry out a Privacy Impact Assessment (see the ICO for more details).
- Do you operate globally? If so, you need to be aware of who your authority is for GDPR compliance in every country in which you have a presence.
- Consider nominating a Data Protection Officer (DPO).
But We’re Leaving the EU Anyway, Aren’t We?
If your plan was to bury your head in the sand and hope the GDPR will pass away with the UK”s EU membership then you might have to think again.
Until we actually leave the EU, whenever that might be, the GDPR will be in full force in this country (and you can be sure the EU will happily accept their fines in pound sterling!)
What’s more, even after Brexit the GDPR will still apply to any of your EU-based customers or those EU nationals you may be monitoring as part of your digital marketing operation.
The fact is GDPR is coming up in a matter of months and every business from the smallest start-up to the biggest mega corporation should be taking action very very soon. You have been warned!