Personal data has gained colossal economic value nowadays in the times of rapid digital market growth. In order to empower the innovation and open new business opportunities, the new EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018. It will introduce unified data protection rules across all the European countries, regardless where the data is processed. The new regulations will also give the control back to the hands of the users, strengthening their right to data protection.
GDPR will make it easy for multinational companies to comply with data protection regulations by introducing laws applicable across EU without the need for Member States to implement national legislation. Current laws are based on Directive 95/46/EC (the Directive), that had to be interpreted by each Member State causing inconsistencies at the same time. Companies have over a year to prepare for rules coming into force in 2018.
New extended regulations
The definition of both personal and sensitive data had been broaden by GDPR. Information such as identification numbers, location data, cookie identifier, IP addresses will fall into that group providing they are accompanied by additional information enabling the identification of an individual. The anonymised data will be an exception and is will not fall into the higher sensitivity class. The definition of sensitive data will include genetic and biometric data though, as well as political opinions, religious and philosophical beliefs. Any companies dealing with behavioural or biometric data or applying pseudonymisation to data, should definitely revise their procedures.
One of the most important changes affecting all companies dealing with personal data will be the individuals’ right to have their personal data erased, rectified or restricted without undue delay. Importantly, the companies can’t process the personal information without clear consent of the individual who has to be aware of the fact of giving the consent. Pre-ticked boxes on the websites will not count any more. The individuals have also the right to data portability which means obtaining and transmission of their data to other controllers. However, it only applies to the data provided by the individual and not the data generated by the controller.
Who will be affected
The compliance with GDPR will not only be expected from EU controllers and processors. All non-EU ones who process EU data or offer any services or goods to EU residents will also come within the remit of new regulations. This includes all those who process data by means of websites and cookies. Since the online identifiers become included in the definition of personal data, all the institutions performing data analytics, analysis of user behaviour, advertising or social channels, need to revise their procedures to ensure their compliance with GDPR.
How to comply and avoid fines
The GDPR is going to introduce a new notion of accountability, which requires the demonstration of compliance and supply of a prove to supervisory authority on request at any time. In principle, the stored data will need to be minimalistic, meaning that only data that is strictly adequate and relevant can be processed. At any time data must be accurate and up to date with possibility of being rectified or erased without delay.
GDPR introduces more strict understanding of consent and also permits the subjects to withdraw the consent at any time. Prior to giving the consent, subjects need to be informed about their rights to withdrawal. The consent must be verifiable and freely given. In order to improve their compliance reporting, companies need to incorporate new methodology facilitating storage of the records about how and when the consent was given.
The subject must be fully aware of the fact that he is giving the consent as well as be able to make decisions. Pre-ticked boxed, silence or inactivity will not count. The data processors will need to make sure the individuals have access to more information about the processing of their data and that all activities are transparent. What is more, any data breaches will need to be reported to the supervisory authority within 72 hours.
The companies will have to make sure that the staff is trained to be able to deal with cases of any requests from individuals. The appropriate IT systems will need to be implemented in order to support actions of rectification, erasure, data portability or restriction of processing. Unfortunately (for companies), the period of time for dealing with requests is going to be reduced from 40 days to 1 month.
Are you prepared?
GDPR is the most decisive regulation in data protection in the past 20 years. The changes in regulations will influence vast majority of companies in EU but also many from non-EU countries. The preparation for compliance can’t be done overnight, hence it’s vital to raise awareness about the requirements early enough. As mentioned in the reports from TRUSTe and TrendMicro, about 50% of companies are still not aware of GDPR. From those who are aware, on average 23% don’t know about penalties that are going to be imposed for noncompliance. Only half of those who are aware of fines, knows they may amount to €100 million or 4% of the annual worldwide turnover.
Although there is about 1,5 year left to get to grips with the new regulations, 35% still haven’t started putting in place adequate security. For small businesses this should be enough time to carry the audits and apply changes, however, for lager companies it may take more time to research the adjustments that need to be applied to existing practices, implement new solutions and train staff. Quarter of companies don’t know how much time they need to get prepared, 11% say they need between 2 to 3 years and 31% about 6 to 12 months.
20% of companies are planning to start with the budgeting strategy once the regulatory changes take effect. It’s important to bear in mind that postponing the process will not cut the costs but only raise the chances of becoming noncompliant. Even non-EU countries who process the data of EU citizens, will eventually need to adhere to new regulations. This includes third parties, such as cloud providers.
The GDPR compliance will come with a set of challenges that need to be addressed early. A quarter of decision makers mention the restricted resources as one of the biggest problems to improve data protection adherence. The challenges include the lack of processes in place to notify about the data breach, lack of financial resources, as well as confusion about the meaning of certain aspects of the regulations. Hence, 55% mention the need for help in a form of more detailed guidance on the requirements.
In order to save on costs, and make the compliance less painful, have a look at Intouch solutions. The Intouch enterprise ecosystem for contact details will help you gain high quality personal details being driven by user consent.