The General Data Protection Regulation (GDPR) will give people more control over their personal information when it is passed into law in 2018, this will supersede the current UK’s outdated Data Protection Act, which was drafted way back in the 1990’s.
Whilst a good thing for us as consumers, what challenges might these changes mean to your organisation?
In general terms, GDPR will change the overall concept of personal data by expanding its definition to include people’s IP addresses and other online identifiers, as well as forcing companies to gain people’s explicit consent to use their data, and what it is used for.
People will also have a right to move all their data from one company to another, and to know when or if their data has been hacked. They will also have the right “to be forgotten”, this will require companies to delete people’s personal data when asked to from ALL places this may be stored, the control of which I can only see being achieved by having an accurate asset register of known applications in use.
It will be interesting to see the challenge for those responsible for compliance and data security and how they can support marketing departments for example, who might use a number of disparate systems such as Mail Chimp, Eventbrite, LinkedIn and Sales Navigator, to name just a few. The challenge will be how content stored within these applications will comply with corporate compliance dictates. These are often supporting tools used outside the CRM and often forgotten when data retention is considered.
The legislation represents the death of tape back-up and the need for better ways to search archived data so that you can be sure ALL client details have been “forgotten”. More robust and achievable methods relating to data storage, retention and deletion will need to be considered overall be your organisation a commercial entity or in the not for profit sector.
These new rules represent dramatic changes to the way businesses are required to handle data, and the consequences for failing to look after such information properly can be drastic.
Any company that suffers a data breach will face a fine of up to €20 million or four per cent of their annual global turnover, compared to a maximum existing penalty of £500,000.
And even before these changes are effective we see evidence of practice that is challenging even the most well-meaning organisations (Rebecca Cooney http://www.thirdsector.co.uk/cancer-recovery-foundation-says-contacted-ico-possible-fine/fundraising/article/1422863 )
So the lesson here is not to stick your head in the sand and think it will not affect you, it will.
This legislation will come into force in May 2018 which means your organisation must be ready. And if you think Brexit might save you, think again, according to an article written by Chiara Rustici in http://www.computerweekly.com/opinion/Dont-think-that-Brexit-will-save-you-from-the-EU-data-protection-rules you may still be subject to the detail of the legislation.
My own thoughts are, that even if the size of the fines are not as draconian, the detailed requirements that will require you to allow individuals to see their own data, to release a copy of any data you hold about them in a commonly readable format, and allowing them to exercise their right to data portability (making it easier for them to transfer personal data from one service provider to another) will not go away.
You will need to prove that the records are both safe and, where requested, deleted. The new legislation clearly shifts the emphasis of responsibility on you to satisfy the enquirer.
Organisations need to review their data protection policies and technology to check they are compliant now and start to create policies, procedures and action plans on how they intend to manage the new challenges.
Once identified they need to implement suitable changes including selecting technology and an ITC infrastructure that will support the changes identified.
The myriad of on premise and cloud solutions an organisation uses adds to the complexity of data security challenges and the need for detailed policies and procedures that are aligned to IT business services should be at the heart of any organisations solution to the data security challenge.
I am interested to share your concerns around this topic and to learn of methods you intend to deploy or perhaps have already used in anticipation of this change.