Brief overview of GDPR
GDPR stands for the General Data Protection Regulation. It’s an initiative by the European Parliament, the Council of the European Union and the European Commission to “strengthen and unify data protection for all individuals within the European Union”.
But what does this mean for businesses and consumers?
- Significantly increased fines for business who do not adhere to the new regulations:
20 million Euros or 4% of group worldwide turnover.
- Consumers have the right to be forgotten: upon request all data about an individual must be deleted if the information is not essential for the fulfilment of a contract between said individual and the organisation in questions, or there is a legal requirement to retain the data.*
- Consumers have the right to access all personal data stored about them: this includes both structured and unstructured data i.e. emails, data exports etc.*
*within 40 days of request (Under the Data Protection Act)
In essence the legislation is aimed at giving individuals more power over their personal data, increasing the onus of responsibility for companies who hold personal data and increasing the enforcement and size of penalties for poor data management. Much of the GDPR legislation is similar to the Data Protection Act of 1998 but the key differentiator is the increased vigilance and power of the ICO (Information Commissioners Office) to enforce the laws and hand out penalties.
Which corporate demographics are most at risk?
Companies that make little to no thought of the Lifecycle management of their information are at risk of being caught out. ILM (information lifecycle management) may be simple for small and micro organisations to manage, but becomes more and more complex over time without proper infrastructure to index, manage and destroy data appropriately.
Those who have not tracked and analysed their business systems for at risk fields of personal data are also at risk of not being able to fulfil right to be forgotten and right to access requests fully.
The ICO is likely to come down hard on companies who can show no evidence of a concise effort to manage and protect their customer’s data and have no ILM (Information Lifecycle Management) process implemented, documented and regularly maintained.
Companies who treat their customer’s data poorly. Firms should treat personal data as they would like their own data to be treated.
Asking permission to collect customer data has never been optional and soon will be more thoroughly policed and enforced.
Companies that don’t think before they share and distribute personal data with third parties, especially without permission of the employee, customer or supplier in question.
There’s a reason for the massively growing demand for cyber security expertise internationally. The physical world of the paper document is in decline, in the foreseeable future all business documents will stored virtually and companies need a “ lock and key” for the new world.
Those with no plan of how to manage requests to be forgotten or right to access request will struggle in the event they receive multiple requests. Data on an individual can spread across an organisations systems either through growth, migration or ad-hoc requests/exports and it can be a complex to access all data on an individual throughout a business’s complex system infrastructure.
Multiple requests can interrupt business as usual and cause a drain on resources if there is no efficient process in place. Being overwhelmed with requests could push response time beyond the required 40 day quota and leave the firm open to penalties by the ICO.
Firms must learn to respond to customer requests swiftly, and with the knowledge they are reporting/deleting/anonymising data accurately.
Unexpected events such as data breaches can cause significant reaction from disgruntled customers and/or ex-employees causing a wave of incoming requests leaving firms scrabbling to solve both problems at once under immense pressure.
Planning and preparing for these sorts of events could save a company lots of money and protect their reputations.
They can do this by:
- Analysing potential risks and designing detailed response plans to events
- Benchmarking response times and stress testing the processes in place for “worst case” scenarios.