50 odd years ago, the corporate issue of data protection wasn’t that important. However, in today’s current affairs, the world is consumed by data which requires sufficient security measures. Under the now ruling Data Protection Act, the data controller has to comply with the law and carries more duties than the data processor. With the introduction of the GDPR in May 2018, they will share equal responsibilities. The data processor will soon be faced with new obligations and will have to comply with the law to the same extent as the data controller. (1) You can read about the implications of the GDPR in our other blogpost here: http://blog.intouch.com/gdpr-in-a-nutshell/.
Yes, our previous blogpost topic was also the GDPR, but it is important to understand that it can be observed from many different angles. The vast amount of information that comes with the implementation will require data holding companies to review and change their business strategy. The level of responsibility that your company or you as an individual has over personal data depends on the following question: are you a data controller or a data processor? Below, we will distinguish between them.
Data controllers administer the use of and store personal data belonging to data subjects. They can be either individuals such as pharmacists or politicians, or “legal persons” such as companies, Government Departments and voluntary organisations. Some data controllers must register annually with the Data Protection Commissioner, in order to make their data handling practices transparent. The role of the data controller carries serious legal responsibilities that can result in heavy fines if they are not complied with. These responsibilities can be shortened into 8 ‘Rules’… (2)
1. Collect and process personal data fairly
The underlying principle of data protection which data controllers need to pay attention to, gives them the duty to obtain and process customer data equitably, with the customer’s permission of course. You as a controller are also required to outline the reasons for obtaining their data in the first place. Reassure them in your terms and conditions by explaining how you will keep it safe and secure. If you are honest with them, they will fill out your form no problem with true and fair information. This creates a ‘trust’ element at the first step of data protection. The tricky part is maintaining this trust for the 7 rules that follow… (3)
2. Keep it only for specified and lawful purposes
Companies obtain customer information for e-commerce, deal and promotion notifications, feedback, loyalty programs or to link to customer’s past transactions to view their interests. You shouldn’t use it for any other purpose, unless approved by the customer. It is a great marketing tool- don’t abuse it. (4)
3. Process it for the purpose it was obtained
Utilising the data must coincide with the purposes stated. Customers want to be aware of what these intended uses are. After all, it is their information. Would you feel comfortable if someone was taking your details without a valid reason? Adding to this, showing their information to an outside party is an infringement which damages the trust element created at the first step. If you break this trust, you could end up paying a fine and losing a loyal customer. (5)
4. Protection: keep it safe and secure
It goes without saying that appropriate security measures must be implemented to protect personal data. Certified and advanced IT security measures, passwords, well-trained staff and a modern data-handling back-end to store the information should all be utilised. A limited number of your workforce should have access to this information- the more people with access, the less safe it is.(6)
5. Keep it up-to-date and accurate
Making sure data is up-to-date is crucial. If someone changes their mobile number or email address, your information is completely useless. Customers need to be advised regularly to update their information in order to reduce storing pointless information. This can be done using a digital loyalty program or simply by just asking them. (7)
6. Ensure that it is adequate, relevant
Does your data relate to your target audience and is it useful for your business? If you answered no, well then you either need to delete it and obtain new information, or further develop your business strategy. Ample customer information is essential for the success of any marketing campaign.(8)
7. Delete if it is no longer needed
If you store out-of-date data or information that you don’t need anymore, why keep it? It is using unnecessary storage space that could be filled by significant data in the future. Just like throwing out old ragged clothes when they no longer fit you, you should get rid of un-used personal data that you may hold from a former customer.(9)
8. Give a copy of his/her personal data to any individual, on request
If a customer wants a copy of their data, you as a data controller have the duty to provide them with a one. The data subject must apply in writing and pay a small fee. You then need to process the request and reply within 40 days. Easy right? (10)
Many data controllers do not understand the vital responsibility that they have when it comes to retaining data on employees, customers, clients, etc. The GDPR emphasises transparency, security and accountability by data controllers, while at the same time standardising and strengthening the right of European citizens to data privacy.
The Data Processor is a legal person, public authority, agency or other body that processes data on behalf of the controller. Along with the GDPR, new regulations for the processor to comply with will be implemented. These duties are as follows…
1. Controller’s instructions
Data controllers can only assign processors which provide sufficient guarantees to enforce appropriate technical and organisational measures. This is to ensure that their processing activities meet the requirements of the GDPR. Processors are required to process personal data in accordance with the controller’s instructions and cannot act alone, unless Union or Member State law determines otherwise.
2. Restrictions on sub-contracting
The GDPR gives data controllers a great deal of control in terms of the ability of the processor to sub-contract. Data processors require preceding written consent from the controller to which the controller can object. This can be general, but it is still obligatory for the processor to inform the controller of any new sub-processors. The lead processor must reflect the main contractual duty in its sub processing agreements and is liable to the controller for the action/inaction of the sub processor.(11)
3. Controller/processor contract
Many data processing agreements do not currently describe the type of personal data and categories of data subjects. Data processing activities must be governed by a binding contract between the processor and the controller. The required obligations on the processor must cover the period, nature and reason for the processing, the types of data processed and the rights and duties of the controller.
4. Demonstrating compliance
Processors are obliged to uphold a record of all processing activities. This must include details of the controllers, processors and DPOs, a general description of technical and organisational security measures, the categories of processing carried out, and any details of transfers to third countries. These records are provided to the supervisory authority on request.
Appropriate security measures on personal data must be implemented by data processors. A variety of factors are taken into account to assess these measures, such as: data sensitivity, risk of security breach, costs of implementation, and the nature of processing the data. What works for one company may not necessarily work for another, depending on the volume of information. This is why companies should test the effectiveness of their security measures regularly.(12)
6. Breach notification
The data processor has the obligation to notify their relevant controller of any data breach, straight after they become aware of it. The data controller can then act quickly on the breach. Consequently, if a processor fails to comply with the breach notification, this can result in a breach of contract or legal obligation.
7. Data Protection Officers
As discussed in our last blogpost, a DPO is a person who ensures that an organisation is in compliance with the GDPR. Processors, as well as controllers, are required to appoint DPOs in certain situations. Such situations include where the company are a public body, when data processing activities need frequent monitoring, or where core activities include a lot of sensitive data. (13)
It is imperative that key personnel in your organisation are aware that the current Data Protection Acts are changing to the GDPR, so they can start to factor this into their future planning. Whether a data controller or data processor, they should identify areas that could cause compliance problems under this new regulation. A head start on compliance will do more good than bad after all. Visit intouch.com to have a look at our solutions which could bolster your compliance.