For those in customer communications, everything changes on the 25th May 2018
This is the date that the EU General Data Protection Regulation (GDPR) is set to come into effect, marking a significant change in the way that global businesses manage their customers’ personal information. The regulation introduces serious implications for non-compliance – including sanctions of up to €20 million or 4% of your company’s revenue – and expands the territorial breadth of European data protection law.
Although there are severe repercussions for being in breach of GDPR, a startling number of EU bosses are completely unaware of how the new regulation will affect their business. Latest figures show that 60% of European business leaders are not prepared for the directive, and many companies have adopted a high risk ‘wait-and-see’ approach at a potentially high cost.
The introduction of GDPR addresses two of the most significant weaknesses in the existing EU Data Protection Directive; namely that a) each member state originally implemented the directive in its own way, resulting in inconsistency; and b) the directive only applies to EU-based organisations. The GDPR, however, imposes new consistent rules that will affect all companies that collect, store or otherwise manage the data of individuals who live in the European Union, regardless of where in the world they are based.
How, then, can consumer-focused companies that fall under this blanket achieve compliance and circumvent the serious implications of breaching GDPR?
Controllers and processors
What GDPR means for your company is dependent on whether your business is either a controller or a processor. To help define these terms, a controller is a company that collects personal data and decides how it is to be processed, whereas a processor is a supplier that handles the data on behalf of the controller. For example, whilst a bank (controller) will collect their customers’ data, they will use a direct mail agency (processor) in order to communicate with them.
GDPR compliance lies mainly at the door of the controller, particularly in regards to securing user consent, but that doesn’t mean that processors aren’t liable for how they handle data. Under GDPR, all companies – controllers, processors, small businesses and large enterprises alike – are expected to protect the data-related rights of EU residents.
All rights reserved
The GDPR makes a big deal about protecting ‘data-related rights’ but what exactly are these rights? Well, according to the UK’s Information Commissioner’s Office, EU residents will be entitled to the following:
- The right to be informed: organisations must state clearly how they intend to use personal data. That means an end to excessively complex and long-winded privacy policies.
- The right of access: organisations must provide individuals access to the data they hold on them without any charge.
- The right of rectification: if the data held by an organisation is found to be incorrect, it must be amended and the correction must be sent to any third parties with whom the incorrect data was shared.
- The right to erasure: EU residents can ask organisations to delete their data and prevent further processing of it.
- The right to restrict processing: individuals control how and where organisations use their data.
- The right to data portability: individuals must be able to export their data in an open format, such as CSV.
- The right to object: This grants individuals a wide-ranging ability to ask organizations to stop processing their data.
- Rights regarding automated decision making: This grants EU residents the right to know when a decision was made automatically/algorithmically (e.g. by artificial intelligence, or AI) regarding their personal data.
The guidance outlined by the GDPR certainly leaves a lot up for debate. For example, while individuals can use the right for erasure to ask a company to delete their data, there are certain instances in which those organisations can refuse. The company is then required to present their decision and the legal basis of their refusal within a month, ultimately leading to a murky area where the rights of the individual are pitted against certain defined needs of the organisation. As each EU member state implements GDPR, we can expect to see a number of court cases test the elasticity of this grey area.
Ambiguities aside, the fundamental overarching principle of the GDPR is that individuals will now have control over how their data is collected, processed and used in decision-making. And whilst this will ultimately affect the whole wider ecosystem of business processes for any given company, one area in which it is of particular importance is in customer communications.
Customer communications and radioactive data
When GDPR comes into effect on the 25th May, will need to dedicate more time and energy into understanding exactly what data they need, what they are planning to do with it, and why their organisation is legally allowed to have it.
Careful thought will need to go into every communication made with customers as well as each item of personal data that is collected or processed. This is a far cry from the majority of customer communications today, which often occur without a single concern of legality. But under GDPR, permissions and informed consent are essential considerations for every SMS sent and every IP address stored.
For business leaders this might sound like a daunting prospect – and it should do. GDPR requires a complete re-evaluation of how your company regards and treats personal data. Furthermore, with such a great deal of room for error and misinterpretation, the new regulations mandate the need for businesses to operate with the utmost vigilance.
It goes without saying that detailed documentation and clear-cut audit trails are your company’s best defence if something goes wrong and an individual threatens legal action. But there are also a number of steps that businesses can undertake in order to ensure they are GDPR-compliant before D-day.
Preparing for GDPR
The first step for any company looking to achieve compliance should be to identify what personal data they have and determine where it resides. This should be established before defining any new GDPR-compliant policies, procedures, roles, and responsibilities related to the access, management and use of personal data. At the same time, decision makers and key people within the organisation should be made aware of GDPR and the potential impact that the new regulation may have on the business.
Implementing a core team of IT, developers, legal and HR staff should be another priority. These are the people who can assist with understanding where personal data is held and if that data is protected by GDPR. Similarly, access to such data should be given only to appropriate staff and systems that need the data for work-related purposes. Data flows and mapping will help to ensure businesses understand what personal data they hold, where it came from and who it is shared with.
Companies should review their current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. Existing consents should be refreshed if they don’t meet the GDPR standard, and a full review on how consent is sought, recorded and managed should be undertaken.
It is of the utmost importance that the right procedures are put in place for detecting, reporting, and investigating a personal data breach – you only have 72 hours to report a breach under GDPR. Individuals should also familiarise themselves with the ICO’s code of practice on Privacy Impact Assessments – as well as the latest guidance from the Article 29 Working Party.
For all companies that engage in customer communication, these new, more stringent review systems are essential to operating under GDPR. With the 25th May deadline rapidly approaching, the time is now to prepare for these changes.
About the Author
Johan Hybinette is Chief Information Security Officer at Vonage. With more than 20 years of experience in information security, Johan brings to Vonage deep knowledge of the cloud industry and the security needs it presents. Most recently, he served as CISO at Hosting.com, a major international managed cloud provider, where he was responsible for securing and managing the company’s vast portfolio of compliance certifications. Johan led the organization’s risk and compliance transformation to improve overall efficiency and communications, and generated more than $2 million in cost savings from evolving technologies and processes.
A graduate of Georgia Tech University with a Bachelor’s degree in Mechanical Engineering, Johan holds numerous professional Information Security certifications.