Is Your Business Ready for GDPR?
As we come to the end of another busy year for businesses, worries within the tech sector are growing as the implementation of the new General Data Protection Regulation (GDPR) draws closer. Here at NIX Solutions, we have the best practices in place to bring clarity to the uncertainty, knowledge to the ignorance and method to the madness.
What is GDPR?
In short, GDPR is Europe’s framework for the protection of data and EU citizens’ privacy. It relates to the way in which companies store consumer’s data, and expands on an individual’s ability to access and control the data you collect from them.
Therefore, for organisations that collect, transfer and store consumer data, it’s mission critical to be ready for the new legislation which will come into force on 25th May, 2018. Despite the ambiguity surrounding UK Brexit negotiations, GDPR regulations will remain the new benchmark for data handling and privacy for years to come – outlining the importance of businesses’ ability to comply with, and adapt to, the new rulings.
Implications
This is heightened when the consequences for your company failing to make all adequate efforts to protect data, are potential penalties of up to €20,000,000, or fines equal to 4% of your turnover (the fine will always be the larger number). In addition, brands that fail to protect data will suffer reputational damage and potential revenue loss.
This was vindicated just this week, as it was uncovered that global taxi transport company, Uber had concealed a massive global breach of 57 million customers’ data in October 2016, only notifying customers and drivers one year later. The scandal has led to a public airing of the company’s considerable dirty laundry (negative stories they’d prefer went away), sparking social media trends calling to boycott the firm – demonstrating the damage having loose data protection can do to your company’s reputation.
New Consumer Rights
Personal data is any information related to an individual – name, photos, addresses, bank details, medical information, and anything else a company or organisation holds about a person. It should also be noted that web cookies and anything that helps record that information, including what browsers and devices people use, and where they are (geolocation data) is included in the scope of the new law. There is no distinction between data about public, private or personal work roles – the person is the person. This also accounts for B2B markets, as the relationships that handle the negotiations are formed by people, or individuals.
Under the new legislation, individuals have:
- The right to access – individuals have the right to request access to their data and transparency relating to how the company plans to use it.
- The right to be forgotten – they have the right to have their data deleted.
- The right to data portability – the right to transfer their data between companies.
- The right to be informed – individuals must be informed before their data is collected, processed and stored. And a data subject should know if their data is being sent to a third-party as part of this process.
- The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
- The right not to be subject to a decision that is taken without human intervention – any decision, that is based on automated processing and has a legal effect, or a similarly significant effect on the individual now needs a human as part of the process.
- The right to restrict processing – Individuals can request that their data is not used for processing.
- The right to object – this includes the right of individuals to stop the processing of their data for direct marketing.
- The right to be notified – If there has been a data breach, companies need to inform those affected within the first 72 hours after becoming aware that a breach has occurred.
These changes and others are why we at NIX have a team of qualified lawyers, ready to solve all the issues that may arise. We’d like to thank partners from Alpha-omega Legal Center for legal and practical help and guidance getting ourselves and clients ready.
How to Prepare
Evidently, the impact that new GDPR regulations will have on the technology industry is unparalleled. Even if your company isn’t based in Europe – if you have customers or suppliers, or consumer data passes through Europe – you need to know about GDPR. Here are some initial steps to get you started and ensure you’re fully compliant.
1. Appoint a DPO
A Data Protection Officer (DPO) is responsible for data collection and processing within an organisation. It is wise to recruit someone who will solely oversee this area, as the GDPR entails various rules that will require thorough attention, e.g. the need to conduct data protection impact assessments.
2. Review current processes
Outsourcing data collection and processing, especially when it comes to payments, is no longer a way to absolve an organisation of responsibility. Many organisations outsource marketing, payment processing and IT. Every touchpoint in the supply chain can involve processing and storing and sharing sensitive consumer data.
Going forward, GDPR requires that the company collecting and using the data is confident in the security of every provider, including third-party cloud services. It is no longer a case of out of sight, out of mind. Companies and providers will need to share more information about internal processes, to ensure everyone is compliant with the new legislation.
3. Put security measures in place
The new legislation stresses that organisations will need to respond rapidly once they are aware of a data breach, informing the data subjects and national regulators within 72 hours. Therefore, you should implement safeguards throughout your infrastructure to contain any breaches, and develop a plan of action to notify individuals ASAP. In addition, make sure to check your suppliers have considerable security measures in place, as outsourcing doesn’t exempt you from being liable.
4. Privacy-by-Design
When a company takes payments online, there is an explicit ask for sensitive information, from card details to an email address. When GDPR comes into force, this ask, whilst already explicit, needs to come with a clear statement about where the data goes, who is responsible for storing it and processing the data.
Every company in this value chain needs to have processes that offer rigid protection. And then, the end-user needs to be able to confidently give their consent, knowing that they are handing over personal data that can protect it. Consent can also be withdrawn at any time, which means reconsidering auto-renewal and subscription payment processes.
GDPR is getting closer. NIX is ready
While GDPR presents many challenges and worries for organisations, it arguably provides great opportunity to retain more loyal customers. The new parameters facilitate client-business relationships, allowing your firm to develop strong bonds and potentially create a long-term consumer base.
With this in mind, the 25th May 2018 should be anticipated with a sense of promise rather than concern. We have spent most of 2017 getting ready, to ensure our customers can work with a team of qualified lawyers to adapt to this new legislation. GDPR is approaching fast; but in our experience, you don’t need to worry.
GDPR is not as scary as it may seem. We are ready to help. As the date approaches, we urge you to start implementing new data protection compliance guidelines, internally and working with suppliers, and to get in contact if you want NIX Solutions to assist.