Data is an asset, particularly for those that rely on it to maintain a competitive advantage and technology has made it easier to acquire this information.
But unless you’ve been stuck in a remote jungle, you can’t have missed the problems that data security can cause for companies such as Facebook. In response to the increasing sophistication of cyber-attacks, more than 53 countries have active data protection regulations.
From the 25th May 2018, the European Union’s General Data Protection Regulation (“GDPR”) will become a game changer for anyone who handles EU citizen details.
The GDPR replaces the 1995 Data Protection Directive 95/46/EC and its aim is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which it was created.
Data knows no borders. A Gov.UK survey found that over 46% of UK businesses experienced a cybersecurity breach or attack in 2017.
The GDPR safeguards that “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.”
In short, the GDPR puts control back in the hands of citizens and means, regardless of the location of your company, if you sell goods or services, or monitor the behaviour of citizens, you’ll need to be compliant when the regulation takes effect.
After May, anyone asking is entitled to see the personal data you hold on them and you have 40 days to comply. Once reviewed, data can be requested to be erased or that it is no longer used for profiling or other marketing purposes.
It’s generally expected that the GDPR will provide a clear baseline against which business can seek continued access to the EU digital market and it is important to note that these rules apply to both controllers (those that determine the purposes, conditions and means of the processing of personal data) and processors (those who processes personal data on behalf of the controller) – meaning ‘clouds’ will not be exempt from GDPR enforcement.
Failure to meet the requirements will turn out to be expensive – up to 4% of a company’s’ annual global turnover or €20 million, whichever is greater, not to mention the irreparable damage to your business’s reputation.
Despite this, many sectors have yet to comprehend the scale of the provisions necessary for GDP compliance.
As with most regulations the GDPR is a triumph of legalese, 118 pages of it. Here’s our easy top ten tips to GDPR compliance:
- How prepared are you and your processes? If you haven’t already, start with a risk assessment and provide employees with training in data protection. Update privacy notices and consents.
- Who’s in charge of compliance? Data controllers and processors have greater accountability than ever. Clear ownership must be established.
- Do you fear human error? Human error is the root of most data breaches. Employees should be aware of how to reduce data breaches by simple things like locking computer screens and having a clear desk policy. Review your systems and ensure easy data management.
- Does my business need to appoint a Data Protection Officer (DPO) or other resources? DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data. However, you must put regulations in place and be able to cope with procedural changes and any potential flood of information requests.
- What data do you possess, where’s it stored and accessed? You need to know exactly what and how you are storing. All devices with access to data, including PCs, laptops and tablets must be audited and sanctioned for use.
- How do you acquire data? If you are collecting personal data via loyalty schemes or customer profile logins, you must have explicit consent to legally acquire and use it. That means no more pre-ticked boxes.
- Do you share data? You must have a policy that can be shared internally as well as with partners and suppliers. Furthermore, you must have explicit consent to transfer data internationally. Auditing the compliance status of third parties falls within the scope of your GDPR due diligence.
- How do you make contact? You must efficiently manage individuals’ preferences, clearly explain how they will be contacted and how their data may be used to make future contact and have an effective re-permissioning policy.
- How secure are you onsite? Most organisers have flexible working practices. Data must be protected wherever data is accessed.
- What happens if there’s a breach? You have 72 hours to report a data breach to your lead supervisory authority. You’ve been warned of the consequences.
There is a legal and moral obligation to protect data by keeping it safe and adhering to individual’s preferences. Rather like Facebook, those on your database might not feel so kindly if they discover the lack of measures to secure their data in the event of a breach.
Trust, that is vital in the relationship between organiser and participants, is easy to destroy to a point of non-existence. Achieving the high standards of the GDPR goes a long way towards building and maintaining a trusting relationship as well as the health and wealth of events.