Coming into effect on 25 May 2018, GDPR significantly changes the landscape for Data Protection and how companies throughout the EU must comply. If you don’t? You could be fined!
You may not even know what it is but the GDPR is a BIG DEAL. Why? Because it changes Data Protection legislation and could significantly affect your business. Read on to understand how the GDPR will affect you.
What is the GDPR?
The General Data Protection Legislation (GDPR) is new legislation passed by the EU which strengthens and unifies data protection for all individuals resident in the European Union – which of course includes Ireland.
Any organisation operating in the EU and managing personal data (think lists of customers and other details like credit card information, addresses, birthdays, employment details, photographs of individuals, CCTV images, and similar) are subject to new GDPR directives.
How does it apply to my business or organisation?
If you’re holding personal data on your IT infrastructure the new GDPR rules probably apply:
-
Consent to hold personal data must be ACTIVE. That is, you must pro-actively ASK customers for permission to keep personal data on your IT infrastructure.
-
Opt-out or tick boxes no longer apply. You can only collect – and keep – personal data if you receive expressed permission from the contact / customer.
-
The data must be collected for a SPECIFIC ACTIVITY.
-
Your company or organisation must PROVE that an individual’s expressed consent has been obtained prior to storing data, if asked.
-
Once that activity has been completed data must be fully DELETED.
-
If your business does not comply, personal data activities could be shut down by relevant authorities, and / or you could be fined, and / or you could be sued by individuals whose data you store and use. If personal data activities are stopped by the authorities, and depending on the nature of your business, it could severely affect operations.
What is the new definition of Personal Data?
The GDPR provides new definitions of Personal Data which apply to this new legislation:
-
Any data previously covered by existing Data Protection Legislation
-
IP Addresses
-
Economic, cultural, social and mental health information
-
Images – including photos and video (for instance, security images captured from CCTV cameras)
-
In other words – almost all data of any kind related to individuals is now covered by the new GDPR data protection legislation.
The Rights of Consumers
-
Consumers have the right to contact any organisation holding their personal data and have the right to access that information: what is being held, why and for what purpose the data is being processed and used, and for how long it’s been stored. Access to that data MUST be given and in a timely manner.
-
Data controllers (that is, those individuals within your business responsible for personal data held by your organisation) must provide secure direct access of that data to those persons contacting you to review data that is being held by your company.
-
Consumers have the right to request that incorrect or incomplete data be revised.
-
The Right to Be ‘Forgotten’ – individuals have the right to demand that data is completely deleted if it’s no longer relevant to the purpose for which it was collected.
They also have the right to demand that data is deleted for WHATEVER REASON AT ALL simply by withdrawing their consent.
For instance: let’s say your company launches New Service Y. A prospect, we’ll call her Mary, signs up for that service. As part of this, she gives her expressed consent for your company to hold data relevant to that service. In this case it includes Mary’s phone number, email address, IP, home address, Facebook and LinkedIn account information, credit card numbers, and some socio-economic data.
A month following the start of the service, Mary cancels her contract with you.
She phones your company, asking if you still hold her data. You must tell her. You must give her transparent access to that data.
She has the right to demand that all of her data held by your company is completely erased.
Moreover, your company is obligated to contact Facebook, LinkedIn, and any other relevant party to delete any links to copies of that data they may have, as well as any copies themselves.
-
Movement of Data – consumers can ask that their data be moved immediately to another organisation of their choice. So, using the example above, Mary decides to move her service from your company to a competitor. She has the right to demand that your company transfer that data to the new company, and delete any personal data you may have following that transfer.
To comply quickly, you must now store data in commonly used formats (such as CSV files) to make data transfer seamless. Any data transfer requests must be completed free of charge and in a timely manner.
What Happens if I have a Data Breach?
If your data is breached by malicious attack (Malware for instance) you MUST contact the Data Protection Authorities in Ireland within 72 hours of that breach. You must provide the Authority with the nature of the breach and the potential consequences for the persons whose data was affected.
Moreover you must contact every individual whose data has been breached in a timely fashion.
What does your business have to do?
In addition to what has been mentioned above, here are only a few actions you must take from 25 May 2018 and beyond:
-
Appointment of a DPO – if your business depends on the processing of personal information, you will have to appoint a Data Protection Officer. This employee acts as an ‘extension’ of data authority rules and must ensure that personal data processes, activities and systems conform to the law.
-
Privacy Impact Assessment (PIA) – the GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimise risk to data and persons. In many cases this could mean you can’t even begin a project involving personal data without first conducting a risk assessment.
-
Complete erasure of personal data – many companies have personal information regarding customers scattered across multiple servers. Often those servers are ‘islands’ and are not centralised. However, should a project come to an end which means you no longer require a personal data instance, or if a customer demands their data be deleted, you must make absolutely certain that every instance of that data is completely and fully deleted – not only on the primary data infrastructure but also on any other source including backups.
What should you do now to prepare?
Do remember you only have one year to prepare for the GDPR, which comes into effect on 25 May 2018. Here are some steps you can take now.
-
Become fully aware of the GDPR. Download the free handbook, The GDPR and You, published by Ireland’s Data Protection Commissioner to find out more.
-
Data Audit and Discovery – conduct an audit of personal data held by your business. Where is it located? Held in what format? Can my business easily – and fully – delete (or amend) all instances of personal data if requested?
-
Protect your Data – make certain your IT infrastructure, and the data it holds and manages, is fully protected from all malicious intrusions (Malware, Ransomware, and similar attacks). Remember that a data breach must be reported quickly and could interrupt your business. Prepare now to make certain you are fully protected.
-
Convert all personal data files held by your organisation to a commonly, easily transferable format, such as CSV files.
-
Think through how you will give individuals access to their personal data, if they demand to see it. Remember, you MUST give them access (if requested) in a timely manner. How long will it take you to locate specific individual data and all instances of that specific data? Can you easily update every instance if an individual makes a request? Can you delete every instance of that data if so demanded? Make certain you have a process and procedure in place.
-
Applying New Customer Consent Procedures – remember, consent must be freely (and transparently) given for you to legally hold personal data. You must clearly define how you will use personal data. You must provide customers with a means to give you that Free consent in a manner which is un-ambiguous.
-
Data Breach Procedures – you should develop a step-by-step method your business will use if you experience a data breach. Remember, you must inform Data Protection authorities within 72 hours of any such breach, as well as all individuals whose data was compromised.
These are only a few ways you can begin to prepare. Start now!
And if you don’t comply? You could be fined or sued.
If you do not comply with GDPR regulations your company could be facing huge fines (up to €20 million or 4% of the previous year’s turnover, whichever is greater). Additionally, you will be open to legal action and lawsuits from consumers whose data you store and use.
How can we help you prepare for GDPR?
DB Computer Solutions can help you comply with new GDPR regulations by assisting your company to prevent data breaches with preventative IT health checks and infrastructure management as well as advice on firewalls, backups, and anti-intrusion tactics. We can also help conduct data audits, centralise relevant databases, and restructure data into commonly used formats such as CSV.
For more information contact us. Email: info@dbcomp.ie, Tel: 061 480 980