The new act has been put forward to help to increase the security and protection of all of our data. The current data protection act was conceived in 1998. Years before Facebook, Twitter, iPhones, Snapchat, and online shopping as we know it was the fabric of everyday life in 2017. So understandably, the 1998 act wasn’t quite cutting it.
As of the 25th May, your business must:
- Have a chief data protection officer appointed
- Report data breaches within defined timeframes
- Outline the purpose of the data being collected
- Secure all data securely
- Display freely-given consent when collecting user data
- Create clear and transparent policies and procedures
Consumers/Customers will be able to:
- Request that their data be permanently erased upon request
- Request that certain data can be transferred upon their request
Questions your organisation needs to be considering right now:
- What data do you currently hold on your customers/clients?
- Where is the data held?
- How is this data managed?
- Who has access to the data?
And for those that fall foul of the GDPR laws, there will be a fine of up to 4% of your global annual revenue.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
One of the main issues with the GDPR rules and regulations are the many grey areas that seem to exist. The ICO has put together an overview (link below) of the GDPR, what certain definitions mean to your business and the data you collect & hold on your customers.
The ICO website directly quotes Article 5 of the GDPR which requires that:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
These 5 points seem okay at first glance, but when you look at point C, that entire sentence is surely down to interpretation? Could an organisation argue that it needs all of it the data it holds on an individual as it helps them provide the highest level of customer service for example? (probably not, but you can see many questions arising from this point).
ICO – Overview of The General Data Protection Regulation (GDPR)
“THEY NEED TO UNDERSTAND THERE IS NO GENERAL APPROACH APPLICABLE TO ALL COMPANIES.”
This opening quote from the recent interview carried out by We Live Security is perfect. There is none one-size fits all when it comes to GDPR.
Businesses and GDPR: What they need to do to be compliant?
Marketing Week has recently published an article that features an interview and commentary with Steve Forde, director of online product & marketing at ITV. This is one of the few articles that we have read that is looking at the GDPR changes as a positive for their organisation. ITV is a colossal beast with many various departments and segments making up the entire organisation. They collect huge amounts of data from a variety of sources so they have been working hard on becoming GDPR compliant for the past 12 months.
“It’s always better to have someone opt in and say ‘hands in the air, I’ve seen it and I’d like to receive something from you’. They are then much more likely to be an active viewer and someone who opens your communications regularly.”
At the heart of this huge operations is simplicity. Viewers & customers don’t want to feel insecure when they hand over their data to a business so ITV is making sure that everything they communicate to their customers is written in plain English.
“All communication needs to be easy to understand. We’ll explain how we’ll be using data and how consumers can control it.”
Avoiding negative reviews/commentary can easily be achieved through clear messaging and leaving the consumer in control of their data. Simple opt-in/out options and not tricking users into being part of something they aren’t aware of are two quick and easy ways to maintain customer trust and loyalty.
Marketing Week – Why ITV is treating GDPR as an opportunity rather than a challenge