March 29, 2017
4 minute read
One of the biggest changes in how businesses retain and use customers’ personal information is coming – but do you know about the change? We’ve rounded up what GDPR is all about and the information you need to know now to get your business ready.
The General Data Protection Regulation will come into effect on 25 May 2018 and is an EU legal framework which will apply to all businesses who hold the data of EU citizens (which means that companies who are located outside of Europe but have European customers will be affected).
The regulation comes in at a time when the gathering of personal data has never been higher. However, it also comes at a time when customers have begun to feel unsure about the ways in which their personal data is being gathered. Evidence presented by the European Commission said that nine out of ten Europeans expressed concern about mobile apps collecting their data without their consent, and seven out of ten indicated that they worry about the potential uses that companies may have for the information disclosed to them.
GDPR is designed to give customers greater control over the amount of personal data that a business holds about them, how long they can have it and what they can do with it. Privacy compliance will become a top concern for businesses as this data protection framework generates new levels of accountability and a new range of penalties if businesses don’t comply – fines of up to €20 million or 4% of the global annual turnover of the company for the previous year, whichever is higher.
The implementation for the new regulation began in 2016 when it was ratified by EU bosses. The two-year period of getting ready means that companies won’t be able to use the excuse of not knowing it was coming for not being ready for the change.
The changes are substantial and require businesses to make their objectives clear with regards to why they require personal data and how they intend to use it.
The basis for what constitutes personal data is also expanding and will now include anything which could identify an individual. This means that, for the first time, it includes information such as genetic, mental, cultural, economic or social information.
There are also going to be new concepts including the right to be forgotten and a formal process and timescale for notifying of data breaches. GDPR will also drive privacy by design meaning that businesses will need take privacy into account throughout all stages of a project as a preventative measure.
Importantly, fulfilling the requirements of GDPR is not just a task for those who control the personal data – everyone who uses the data in some way will also have to show compliance.
The key to compliance with GDPR is to ensure that you have legal reasons for holding and using data and that you have these reasons documented in writing.
You’ll need to ensure that you have a way for customers to understand how and why their data is being stored; you’ll also need their explicit consent to store this information.
Large companies who deal with a significant amount of personal data must employ a Data Protection Officer whose role will solely focus upon assessing that procedures in compliance with GDPR are working effectively and to ensure staff are comprehensively trained to understand their own responsibilities.
With the UK set to formally announce its intention to leave the European Union at the end of March 2017, many businesses are wondering whether they need to make these changes for GDPR if the country is no longer going to be in the EU. As the process to withdraw from the EU takes a minimum of two years, businesses will need to ensure compliance as the UK will be subject to the regulation when it comes in, in May 2018. Furthermore, the UK Information Commissioners Office has stated that they will be looking to implement GDPR principles into the UK Data protection regulations, post-Brexit.
While GDPR puts in place regulation to ensure the accurate and fair usage of personal data – there may be a better and more long-term solution already available. Blockchains are secure, third party distributed software systems which would enable consumers to store their own personal data and then share it with businesses themselves rather than giving them their details for them to store.
Increased usage of Blockchain technology could help businesses ensure compliance with GDPR. The requirement of an individual’s authorisation, combined with a decentralised structure result in Blockchains being immutable. GDPR and blockchain both have the consumer in mind, with a single objective of changing the fundamentals of personal data management and security.
For more information on the upcoming GDPR changes the Direct Marketing Association website is a great source which we would recommend. They have recently published guidance on consent and are currently running a consultation to gather input for the Information Commissioner’s Office to inform GDPR when it is brought into effect. In addition, you can also find latest timelines.
For more information or guidance on GDPR, how you can stay compliant, or how your organisation can more efficiently and effectively leverage its data, get in touch with the team.