Are you ready for the changes coming into force on the 25th of May 2018?
GDPR is the General Data Protection Regulation that will directly affect all companies collecting personal data which in this digital era is just about every business!
Thinking that GDPR is not your issue because your company doesn’t have a presence in Europe? Not true – If you offer any products or services to the European market, or if you collect data on European customers, the new privacy rules apply to you. All companies need to be starting work on this as early as possible to hit the May 2018 deadline.
GDPR Key Points
The definition of personal data is becoming broader and includes everything from medical records, financial status, social identity, and much, much more. From now, hardly any personal data will not fall under the GDPR, making it virtually impossible for companies to avoid having to comply.
Companies will have 72 hours to communicate to the relevant data protection authority that they have suffered a data breach. Businesses operating all over Europe must set up their breach notification and response services.
All businesses, whether within the EU or beyond its borders but doing business in the EU, will have to comply with the GDPR if they collect personal data of EU citizens.
Collect your data carefully, and with the GDPR in place, it will be detrimental that you don’t collect and store more than what’s required.
For breaking the GDPR, companies will pay up to 4% of their global revenues or €20 million, whichever is greater. A penalty this large will put some, if not many, companies out of business.
All companies must collect an affirmative consent from all individuals, which allow them to process personal data. It will be more important than ever for businesses to explain what personal data they are collecting and how it will be handled and used. Without valid consent, any personal data processing activities could be shut down.
All individuals have the right to be forgotten. Meaning companies will have to get a new consent before they can alter the way they are using the data collected. It also means companies must have the processes and technologies in place to delete data in response to requests.
The times where privacy was an afterthought are gone. These new principles require you integrate privacy requirements in the design of new products and services and that you process the minimum amount of personal data necessary to achieve a particular function.
Consent is not for life and must be repeated. Companies need to ensure they use simple language when asking for consent to collect personal data and they need to be clear about how they will use the information.
Companies whose core activity entails regular and systematic collection of personal data on a large scale, as well as firms that handle sensitive data, must hire a Data Protection Officer (DPO).
The GDPR requires data controllers to conduct Privacy Impact Assessments where privacy breach risks are high to minimise risks to all data subjects. Before companies can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO to ensure they are compliant.
For a fuller description and explanation of all the points I have picked out as key please see the ICO website.
Wi-Fi Concerns
We take Wi-Fi for granted and expect it to be available in most public places – airports, clothing stores, cafes, bars, restaurants, supermarkets, everywhere!
Businesses that have customers on the premises will probably offer free or paid for Wi-Fi as an attraction. By asking users to log in, businesses can leverage Internet access to generate marketing data from details obtained by registering for the Wi-Fi service. At the moment collecting and storing of this personal information collected via a business Wi-Fi brings responsibilities under the Data Protection Act 1998 (DPA) and all businesses that collect data should be registered with the Information Commissioner’s Office (ICO). However, the GDPR, as outlined above replaces the DPA in May 2018, and from a DPA list of Nice to Do’s and Should Do’s under it will become Must Do’s under GDPR with the threat of massive fines.
Even as the first step towards GDPR compliance, you must ensure:
- Your terms & conditions for your Wi-Fi service are very clear on what data you are collecting
- The reasons why and your intended usage of the data collected
- Give the ability for the public to opt-in for any marketing, as well as providing them clear instructions on how they can opt-out at any time.
- Along with all the standard and necessary Wi-Fi controls such as router security, segregated network traffic, virus/malware protection and firewalls you must ensure you are aligned all policies with the GDPR.
Game Changer
The new GDPR is an absolute Game Changer, and we will see come May 2018 that the existing DPA was just a little puppy licking faces and the GDPR is a fully-grown dog with big teeth waiting for its first big bite!
Don’t wait, the clock is ticking, and there is no time like the present to ensure your business is aligned and compliant to the General Data Protection Regulation.