3 Key Considerations for Businesses Tackling GDPR Compliance
This article is a small snapshot of the GDPR, the European Union General Data Protection Regulation, and what it may mean for your organisation.
Many of you will have heard of, or come across the term GDPR, but don’t really know what it is and what we as businesses must do. This article will in no way give you all the information, or tell you everything that needs to be done, but it will give you an overall overview of three key areas for consideration. If you look up GDPR on Google, Bing, or whatever search engine you prefer, you will more than likely come up with this definition. IBM Analytics, for example, states:
“GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.”
Not the simplest explanation for someone, or some business who just wants to understand in Lehman’s terms, what it means?! So simply put, the EU has created rules (regulations) to ensure that citizens’ rights are protected, with the way their information (data) is treated. Just to be clear also, you don’t have to belong to the EU for these to apply, however. Anyone who processes data from EU citizens also has to adhere to these regulations.
So, what does it all mean and why is it important that we sit up and take notice of the new regulations? Our first key area to highlight…
New GDPR Regulations for Data Storage
For anyone who is classed as a ‘controller’ or ‘processor’ of data, you have to abide by these new regulations… by May 2018! A data controller has the responsibility to state how and why personal data is being processed and the processor, surprisingly enough, is the party who is responsible for the processing of that data! The controller’s responsibility is to ensure the processer abides by the data protection laws and the processors must abide by the rules of maintaining records of their processing activities.
It all sounds fairly straightforward, but unlike before under the Data Protection Act, anyone who doesn’t take this seriously, maybe far more liable than they were previously. For anyone thinking the models including pre-ticked or opt-out boxes is the solution, needs to look into the regulations more closely, as consent must be an active and affirmative action, as opposed to something more passive. Whilst this adds some basic clarity when it comes to how data is stored, it still doesn’t answer what type of data this is referring to! So here goes…
Types of Data to Consider Under GDPR
The first thing to clarify is that the only data that is subject to EU data law is personal data, therefore the law only applies to personal data and, in theory, should be fairly simple – wrong! The classification of personal data is absolutely key. However, the definition from Article 4 (EU-GDPR) doesn’t really help to answer the question:
“Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
On top of this, according to Article 9 (EU-GDPR), there’s then ‘sensitive personal data’, which requires organisations to have even stronger grounds to process this data:
“Sensitive Personal Data’ are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).”
As you can see the top level answer to what type of data falls under these regulations isn’t too complex, but when we start to drill deeper, there is a detailed level of understanding that organisations will require and if they do not have that expertise, then there are two fairly straightforward options; do plenty of reading, or engage with external businesses who can support you with compliance. The final consideration and what every company will no doubt be wondering…
What are the Consequences of not Being GDPR Compliant?
Well, from how the regulations are written, quite a lot actually! Under GDPR, Talk Talk’s record fine of £400k, would actually have cost £59 million! If there is a data breach and businesses do not meet the 72 hours deadline to inform the data protection authority, this could mean a penalty of either 2% on annual worldwide revenue, or £10 million (whichever is higher). Other fines include 4% of worldwide revenue or £20 million (again whichever is higher). These are obviously huge numbers and exactly how this will be monitored and executed in the case of a breach is even more ambiguous, simply because we are not at the stage yet where this has happened. Rather than just focussing on our advice from the high-level understanding we have, I decided to have a look at some basic points and guidance from a company just a little bit bigger than our own… Microsoft! We recommend you begin your journey to GDPR compliance by focusing on four key steps:
– Identify what personal data you have and where it resides
– Govern how personal data is used and accessed
– Establish security controls to prevent, detect and respond to vulnerabilities and data breaches
– Execute on data requests, report data breaches, and keep required documentation.
The infographic below from Microsoft.com offers a logical overview and essential guidance, discover more information here.
Our Advice for Best Practice GDPR Compliance
Hopefully, the above has given you some food for thought. At Pragmatiq, we are a growing business like so many others out there, we don’t confess to knowing the world of GDPR regulations inside out. One thing we can tell you though is that we are taking this seriously, will take advice wherever needed and most importantly, will be taking action. We advise all businesses to do exactly the same and best of luck working your way through the detail.