Data regulation isn’t something that plays on the mind of most business owners. But GDPR, improperly managed, can cause huge headacheus for a variety of different sectors and departments including HR, recruitment, sales, marketing and, of course, IT.
Getting it wrong could mean paying massive penalties and incurring the wrath of regulators. Something ALL businesses will want to avoid. GDPR isn’t just an IT problem though; it’s effects are wide reaching, and everyone needs to play their part to ensure that their company gets it right – not just the IT department.
What Is GDPR?
As of 25th May 2018, the EU General Data Protection Regulation (GDPR to keep things nice and simple – at least in terms of wording) comes into effect. It is replacing the existing EU data protection directive, and it means that businesses need to put some important compliance measures in place to ensure that data protection isn’t breached. At all. In any way. And there isn’t a lot of time to get compliant before GDPR implementation, either. Although you may think that this kind of thing falls firmly at the feet of the IT department (any data is likely to be collected and stored digitally, right?) the implications are far wider reaching.
Personal Data Means…?
Under the old EU directive, personal data meant any piece of information that relates to a living individual that allows that aforementioned individual to be identified. Basically, if something had someone’s name, address, or any other kind of identifying details on it, it was ‘personal data’ and had to be treated accordingly. Once the new laws kick in, things will be different. The definition of personal data will be wider, and it will mean that it won’t just be about names and addresses anymore. Post GDPR, it will include everything that can identify someone such as their gender, their social identity, their cultural identity, even their mental and economic identities. This is why we say it’s more than just an IT issue. These pieces of information may not come to companies via online orders or emails. They might come through phone calls, through face to face meetings, through any kind of interaction in any department at any time.
What about the EU?
Even though Britain is leaving the EU, we still need to comply with GDPR implementation. Non-EU companies who deal with EU subjects’ personal data are all involved with this, and need to understand the regulations. The penalties are huge and not worth risking, so it may be easier to treat everyone – EU or not – in the same way. Just in case.
The new regulation will include special protection for the personal data of children (anyone under 13). The only way that any data which is collected from those who are 12 and under can be used is with the express permission of their parents or guardians.
The Consent Issue
We thought had the hang of this personal data consent thing, but now that a new regulation is coming in, it’s all change again. There must be a consent document for this new GDPR implementation, which needs to be signed, and it needs to be simple. Really simple. Layman terms simple. If there is any hint that someone signed their consent form without really understanding what it meant, your company could be in trouble, so it’s worth making sure it’s as simple as it can be. The other important element is that it will also need to have an expiry date. In the past, consent was consent and it didn’t run out. Come 2018 and it will. If the data is used in any way after that time, you’re falling very much foul of the rules again.
As you can see, this goes far beyond the scope of simply getting people to ‘opt-in’ when they give you their email address. The implications on HR, recruitment and customer service departments are extremely complex. Do you record customer phone calls? If so, do you ask for permission? If so, how long do you keep those recordings for? And, if you do keep those recordings, do you have a mechanism for retrieving them, organising them and, if the customer requests, removing them without trace?
Currently, if there is a data breach, there is no obligation to notify the authorities (except in specific situations such as those aimed at communications providers and ISPs). The new regulation will – you’ve guessed it – make it compulsory for any data breaches to be notified immediately if they are going to have an impact on the individual and cause damage; a problem such as identity theft, for example. Not only will the regulator need to be told, but so will the individual whose data is at risk. Now, although it’s a good thing for the individual to know what’s happening with their own data, this new rule is going to potentially cause problems with lost business. Trust is a fragile thing, and if there is a known data breach, money can easily be lost. This is yet another reason to ensure that GDPR is something that’s acknowledged and addressed at the highest level in any organisation, not just something that’s added to the IT department’s ‘to-do’ list.
At the moment, if someone requests to see their data, organisations have 40 days to comply. After GDPR implementation, this will drop to 30 days, and it won’t just be the data that needs to be sent across. You will need to provide information about data retention periods. If the request is refused, there must be a lot of evidence to prove why. And, if a subject requests the right to be forgotten… they can have it. This is going to have a huge impact for online services, and will mean although the data might have been collected through a website in the first instance (IT territory), it also needs to be removed from anywhere that it has been disseminated. This means marketing departments, CRMs, even emails, application forms and job applications.
It’s as much about people as it is about IT!
In essence, GDPR is all about people. It’s about the people whose data is collected and stored and potentially used, and it’s about the people who have to come together to make this all work. So when it comes to GDPR implementation, it’s time to look at it as a positive step – it clarifies what is currently a rather woolly directive, and it offers additional protection for everyone – it’s a good thing. You just need to approach it in the right way.
Sounds tricky, doesn’t it? Sounds like even the most diligent organisations might have some questions. But that’s okay – that’s what we are here for. We can guide you through the changes to ensure that you are on top of all the new regulations that come into play in 2018. Everyone at Infinity Loop has wide reaching business experience and are perfectly placed to help you ensure that EVERYONE in your organisation is ready for GDPR.