In less than 100 days, the way all organisations - big and small - in the EU obtain, process and store data will change. If it’s not already in your diary, on your calendar, or even pencilled in, the 25th May 2018 needs to be a date you are ready for.
Why? Well, if you’ve been under a rock since the 2016 unveiling, you might be surprised to know that this is the date when the new General Data Protection Regulation (GDPR) comes into effect.
Its predecessor, The Data Protection Act (1998), was once the security blanket by which businesses, consumers and everyone else was protected when it came to privacy and personal data. But 20 years’ later, having seen the dawn of a digital era and ever-evolving technology, the DPA is in dire need of a refresh.
This is the new standardised security blanket for all EU Member States. It puts the onus on Data Controllers and Data Processors (more on them here) to educate and inform Data Subjects, ensuring information is acquired, processed and stored properly, with the Data Subjects’ clear and explicit consent.
What does all of this actually mean?
If you haven’t already started preparing your business for the impending GDPR legislation, you have a busy few months ahead. You’ll need to review your current processes and map your existing data, checking the source, scope and security associated with the personal data you collect and process.
Not a small job by any measure. Of course, if you’re thinking that you’re too busy, it doesn’t apply to you, or there’s no point when already in the throes of Brexit – you’d be wrong.
GDPR applies to everyone and will continue to do so for anyone hoping to do business after the UK leaves the EU. If you don’t comply and you’re found to be in breach, you could fall foul of the two-tier fining policy, being fined up to €20 million or 4% of your annual turnover… ouch.
Is GDPR really that big of a deal?
Short answer: Yes.
Technological advances and a need for cross-border standardisation in an increasingly global market brought GDPR around sooner than initially expected. However, headlines full of data breaches, cyber-attacks, ransomware, and identity fraud are all stark reminders that data is a valuable commodity, security must be a priority and current measures are not enough.
While banks and insurance companies have long been targets, prompting ongoing investment in securing customer data, it is the vulnerabilities exposed by council websites and paper archives, and even online MVPs that are most alarming.
In 2016, Norfolk County Council suffered a heavy fine for a data breach that saw old files turn up in second-hand cabinets. In the same year, Yahoo revealed it too suffered a data breach for one billion user accounts after coming under cyber-attack in 2014; demonstrating that even global giants need to perfect their GDPR game.
Comparatively ‘low-risk’ businesses, like online retailers, are also subject to GDPR and all it entails. An e-Commerce business might collect customer email addresses for login profiles, invoicing and even marketing, making them a data controller. If they employ a third-party email marketing company to send their newsletters for them, they add the extra risk of a data processor too. As long as the data is secured properly and used correctly by both parties, there’s no issue. However, if either party’s website, database or processing is non-GDPR compliant, that can be a big problem.
How can I ensure I am GDPR compliant by 25th May 2018?
Having worked with a variety of both council and e-Commerce websites, we are no strangers to the magnitude of sensitive personal data at risk, and the importance of keeping everything from health records to card details safe and secure.
Businesses and their sites and systems are integral to each other, which is why part of this regulation calls for organisations to keep their data secure, employing “appropriate technical and organisational measures”. There is plenty of material out there explaining exactly what to do, how to do it, when to do it and why.
For now, though, here are a few things you should check, or at least be considering, so close to G-day:
- Is your website secure? Does it employ open or closed source code? Is your organisation’s anti-virus software up-to-date?
- How about your server location and ownership? Are your website and any associated platforms hosted securely?
- What database do you use? Is it secure? If provided via a third party, have they evidenced that they are GDPR-compliant? Think tools and apps, internet service providers, lead generation software, etc
- Have you invested in a system that allows you to input, store and use data securely?
- What about your organisation’s ‘internet of things’? When reviewing everything, include any devices with embedded software or connectivity that allows for data collection and exchange
- Can you employ security measures such as encryption, or even pseudonymise data?
- Are you requesting, storing and processing only minimal data; that which is necessary to fulfil the agreed purpose? Have you completed data mapping to identify all instances where consent is needed before data is obtained?
- Have you updated your SSL certificate, Ts & Cs, contractual small print and Cookies policy?
- Is everything in black, white and clear? You need to be transparent, declaring what data you need and why, as well as how you will use and store it
- Are you providing “opt-in” communication, enabling users to explicitly state or affirm their consent? Remember: lack of objection, as with the current “opt-out” model, is not permission. Privacy is a right to be exercised, not a privilege. Data Subjects must also be able to access or update their data, as well as exercise their right to be forgotten
There’s certainly a lot to chew on, whether you’re ready and raring for the new GDPR age, or only just sinking your teeth into it. So take comfort in the thought that you aren’t in it alone, and that you can collaborate with everyone from peers and official bodies to your web and marketing company or even the third parties you work with, to ensure that your business is ready for GDPR this May.
Speak to us about your current digital offering, the steps you’ve taken ahead of GDPR and what sort of solutions we could offer you – we’d be glad to help!