Johan Hybinette, CISO of Vonage, offers last-minute tips for GDPR compliance.
On 25 May, the European Union’s General Data Protection Regulation (GDPR) is coming into effect and companies must make radical changes in how they gather, monitor and manage data of EU citizens.
The cost of non-compliance is high, ranging from fines of up to €20m or 4pc of an organisation’s revenue, not to mention the potential loss of customer confidence through negative exposure on social media and in the press. Surveys show that many companies won’t be ready, with 40pc expected to achieve compliance only after the regulation comes into effect.
The new legislation will surpass the current EU Data Protection Directive, which allows each member state to implement it according to their own rules. Also, the current directive only applies to EU-based organisations. With the GDPR, all companies that store, collect or manage data of individuals living in the EU must comply, no matter where they are based.
You don’t have permission – back to square one
GDPR forces companies to make a U-turn when it comes to customer data. Start with the attitude that you don’t have permission to do anything with your customers’ data, even if they gave you permission to use it in the past, and go from there.
With every customer communication you make, ask yourself: do I have explicit permission to contact them? No more blanket email or text promotions to your customer database just in case someone bites.
The way that you store your customers’ data is also affected by this legislation, and the new legislation can be broken into two entities: controllers and processors. A controller, for example, could be a homeware store that collects customer information, and the processor is the agency that it uses to send out promotional emails and text messages to the customer. The responsibility lies heavier on a controller than a processor, but that’s not to say processors need not ensure they are compliant.
The controller who collects the data may be penalised heavier for the way they collect and keep personal data secure. But, anyone who handles customer data, from small business to large corporations, can be fined for misuse of customer data.
Are you compliant?
The Information Commissioner’s Office (ICO) has a data protection self-assessment toolkit for processors, controllers and direct marketers to use, in the form of a checklist. It is aimed at small to medium-sized businesses. They can use the data assessment checklist to identify where they are on the compliance scale.
Time is of the essence and hopefully you have already started your GDPR-compliance implementation but if not, the first thing to do is to discover what personal data you have and where it is being kept. This should be done before taking any other step to implement your GDPR policy. You should also educate not only key people in your company but anyone who deals with personal data as to the impact of GDPR.
There are some basic actions you can take to start with the implementation of your compliance plan. Identify a core team that is responsible for data in your company. This can consist of IT, developers, legal and HR staff. Access to data should be restricted – only give it to staff who need it to perform their work. Create a data map for the organisation that will show you what types of data you have and how it is stored and managed.
It is essential to identify current privacy settings and put a plan in place to make the changes for GDPR implementation. What do your existing consent messages to customers look like? If they do not meet the GDPR standard, update them immediately. Also, do a full review of how you get customers to consent and how the whole process is managed.
Open to interpretation
As with any new regulation, there are areas of GDPR that will be challenged and debated. One of these relates to the right of individuals to request companies to delete their data, which, under certain conditions, companies may refuse. When they do, they have 30 days to explain why they refused the request and we may see some court cases testing this grey area.
It is critical that companies have the right procedure for detecting and investigating any breaches when it comes to data. There is only a 72-hour window to report any data breaches under the new legislation. Read the ICO’s code of practice on privacy impact assessments as well as the latest guidance from the Article 29 Working Party.