Six Months to Get Your Act Together
Are you GDPR Ready?
There’s only six months to go until every citizen living and working in the European Union (EU) and the United Kingdom will have robust rights over the use of their personal data. Without their ‘affirmative consent’ your company could face a steep EURO 20 million fine or up to four percent of your global revenue, whichever is higher.
With this in mind, it pays to make sure your company and employees are ‘GDPR ready’.
The GDPR Act – what is it?
Devised five years ago by the European Parliament, European Council and European Commission, the General Data Protection Regulation (GDPR) Act is a law that is designed to give an EU citizen full control over their personal data and how it is used, while holding global entities to account should they mismanage the information. Coming into effect on May 25th 2018, the GDPR Act will significantly impact the way companies operating in Europe and beyond, obtain, handle and eradicate the personal information of all living EU individuals.
What does this mean for your company?
In essence, the law forces all law-abiding entities to review and adapt practices relating to how they obtain data and hold it. And for most, that means an overhaul of processes and practices. For example, from May 25th, 2018 every business must seek ‘affirmative consent’ from an individual. That means only an opt-in clause and nothing else, will do. But if you’re thinking of drafting a generic consent agreement, think again! Firms must seek consent on each specific activity. The days of harvesting Personally Identifiable Information (PII) for the purposes of marketing and other associated activities, are fading. If the customer has not specifically ticked ‘yes’, then it’s an automatic ‘no’.
Peter Yeung, Episerver’s Global Data Protection Officer and General Counsel says, “A subject’s consent has to be a clear, unambiguous, affirmative consent to processing.”
And that’s not all. From May next year, every customer of yours will have the right to ask you for the data you hold on them; even the data you’ve shared with a third party within 25 working days.
What’s more, customers will have the ‘right to be forgotten’, and if they request this, you must delete all their data from your systems.
“This is the first time customers have had the legal right to hold firms to account” reveals Linus Ekstrom, Chief Technology Officer at Niteco. “Although the onus is still on each company that works within the EU and the UK to operate responsibly, or they’ll face huge penalties as a consequence.”
As well as ensuring you seek consent each and every time you wish to handle or store Personally Identifiable Information, you must also ensure only the needed few within your organization has access to the data. “Map and evaluate all your processes, and make sure that all employees handling data know that they are bound by a confidentiality agreement” Linus advises.
And if you discover a breach, are you sure you have the necessary reporting system in place to ensure the breach can be reported to your local Data Protection Authority within 72 hours?
Not sure? Hiring a Data Protection Officer may well be a wise move…
The ramifications of the Regulation are so far-reaching that experts are recommending a Data Protection Officer is appointed at companies with employees of 250 or more. “It’s easy to think that the GDPR is a legal issue, but it’s not” warns Linus. “The stipulations in this law and their weighty implications mean businesses have no choice but to adopt new ways of working and institute a watertight culture of safeguarding personal data, including appropriate levels of physical and technical security.” Linus believes that a Data Protection Officer can take the lead on the steps needed to ensure a company is ‘Regulation Ready’ and can also be that helpful conduit between the company and their development partner.
What should you expect from your development partner?
Although the legal obligation is on the company to ensure compliance, working with a software development partner that explicitly appreciates the implications of the law on your business is critical. After all, their insight and problem-solving capabilities could save you millions. Linus explains, “As software development experts who help major companies manage and sometimes migrate data, we can bring our technical know-how to good effect. Our partners, Episerver and Sitecore are also able to support global firms prepare their systems for the impending reality of data management post May 25th 2018.”
Learn more about how Niteco can help your company become GDPR Ready by getting in touch with us today.