On 25 May 2018, a new EU Directive, the General Data Protection Regulation (GDPR) will come into effect. For individuals and businesses dealing with EU citizens, this will mean significant changes in the way data is gathered, processed, stored and destroyed. The purpose of the regulation is to protect the personal data and privacy of an individual who is a European citizen. It’s important to point out that data includes scanned documents or documents received by email or captured online.
Unknowingly to most, companies can collect and gather data about individuals such as their physicality, salary and economic status, mental state and cultural as well as social identifiers.
With such a growing rate of data collection, some tech-savvy individuals might have made a conscious effort to control the data obtained by companies that relates to them. However, this is a time-consuming, cumbersome effort of which few people participate.
With the introduction of GDPR, managing personal data will be a lot easier for individuals. From May 2018 onwards, companies will need the explicit consent of individuals to process their data. Not only that, but companies will also have to be able to display adequate proof that the data was processed with an individual’s consent. The risks and necessity for businesses to act is paramount; the GDPR will enable individuals to sue companies who do not handle personal data with care. Our work with intelligent companies already investing in GDPR-ready data strategies has enabled us to understand the scope of implementing the new regulations and its importance for businesses to stay ahead of their competitors in relation to data processing.
Right to be Forgotten
The headline extract from the new regulation that is gaining spotlight is the ‘Right to be Forgotten’. This relates to a request individuals can make for the deletion and removal of all personal data where there is no compelling reason for its continued processing. Companies must have systems in place, ideally automated, that can ensure the legally abiding terms of data deletion are adhered to.
The GDPR will have a monumental effect on businesses operating within the EU or in relations with EU Citizens. One considerable effect is the new requirement for every company that handles the personal data of EU Citizens to have a Data Protection Officer (DPO). The role will be of highest importance in relation to GDPR. The DPO will be responsible for all data passing through or owned by a company. Furthermore, it is the role of the DPO to be the first to act in the case of a breach.
Whether intentional or accidental, every failure in protecting personal data is considered a breach. Whether the data is altered, lost, destroyed or falls under an unauthorised disclosure the failure is considered a breach and the DPO has just 72 hours to take action. With the growth of data protection, it is important that businesses do not get complacent or fall behind their competitors when it comes to implementing a data security strategy. Trailing behind market leaders can leave businesses in a vulnerable position when it comes to customer trust.
The consequences for businesses failing to adhere to the new regulations are severe. Fines of between €10,000,000 or 2% of global revenue up to €20,000,000 or 4% of global revenue are the fines companies can expect for failing to protect the personal data of individuals.
So, what can businesses do prepare for the General Data Protection Regulation? Before diving head first into solution comparison, procedure updates and jargon googling, it’s important to take step back and plan.
Gather senior members of staff and relevant stakeholders, sit down around a table and realise this regulation is coming down the line and will have an impact on your business. It is important to get the senior members of an organisation on the same page, with a strong understanding of the implications for how you store and retrieve data. Once the understanding and introduction of GDPR has been established then a conversation can be had about how best to prepare for the regulation.
In upcoming Inpute blogs and newsletters we will be sharing tips and guides on how businesses can prepare for the GDPR, before it is too late.