As May 2018 approaches the EU General Data Protection Regulation (EU GDPR) is moving quickly up the agenda of most businesses. It’s also establishing an increasing presence in the mainstream media as consumers become more tuned in to what it means for them.
Wherever you are in your GDPR journey, an absolute must is having a good appreciation of the basic elements of the regulation so that you can plan accordingly. As a useful summary, I’ve listed six important elements below, extracted from our whitepaper ‘Defining the data powered future’. I’ve also included some important areas of consideration for each one which may help to focus your planning. Of course, it’s by no means exhaustive and we’d always recommend referring to the ICO for more detail.
There has been a desire to strengthen data subject rights within the GDPR. To this end, there are a number of new data subject rights (e.g. the Right to Erasure or Right to be Forgotten) or enhanced rights (e.g. Right to be Informed). Given their importance, two major elements, the Right to be Forgotten and Right to be Informed are covered in more depth below.
Focus area: Consider how your organisation can make it easy for an individual to not only find the data you have on them but to also edit, add or remove that data. Obviously, secure access should be a priority, so look at ID Verification tools if you don’t have a consumer facing portal already.
Businesses need to make sure individuals understand who the controller is that is collecting their personal data and the purposes for which they are processing it. Organisations’ privacy policies will need to be updated in line with the requirements of the GDPR. The new principle of accountability in the GDPR means there will be much more of an onus on controller businesses to demonstrate compliance with the data protection principles within the GDPR.
Focus area: Think about how the sign-up process on your website can be updated to make it clearer to the data subject how you intend to use their data - what requires their consent (as well as what doesn’t). Also consider how you can show that this information has been displayed and understood to an internal or external audit.
A Right to Erasure has now been set out clearly in the GDPR which will allow individuals a qualified right to request that their data be erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected). Where relevant, businesses will have an obligation to erase the relevant personal data it holds concerning that individual within a maximum of one month of the receipt of the request.
Focus area: Locating all copies of personal data can be challenging. Think about where you may be asked to look for and erase data. Can your organisation locate all versions of an individual across your databases? What if they changed address or name? A unique pin (often known as a Single Customer View) can be a great way to smooth out the erasure process.
Businesses will be required to appoint a DPO to help them comply with all their obligations under GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance. It’s needed whether the organisation is acting as a processor or a controller where processing operations require regular or systematic monitoring of people on a large scale.
Focus area: The DPO will clearly have a number of tasks in GDPR preparation but they will need the right tools in place to monitor on-going performance of the business. As this role needs to encompass technical, legal and business skills; think about data reporting tools that can be used by someone who may not be able to code.
Under the Data Protection Act 1998 the statutory obligations are on data controllers only. However under the GDPR, data processors will also have obligations. For example, the processor will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities. Processors will be legally accountable for compliance beyond any contract terms, but reputable data processors will already have many measures in place to demonstrate compliance.
Focus area: Start asking your data processors about their GDPR plans. Clearly, they may not be 100% there yet but they should be able to give you a high-level overview of what they have in place today and what they are planning to improve ready for May 2018.
Businesses will need to carry out a Data Protection Impact Assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the Information Commissioners Office (ICO) in the UK) without undue delay and where feasible, within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in high risk to those rights and freedoms, the data controller will also need to communicate the breach to impacted individuals without excessive delay.
Focus area: Think about how a data breach may impact your business and data subjects. Have you got a tried and tested plan in place for this eventuality? Do you know what you would send to affected individuals? Have you got FAQs ready for your website and trained your call centre staff with the relevant messaging? A Data Breach Impact Assessment could be a worthwhile addition to your wider Data Protection Impact Assessment toolkit.
A core theme of the GDPR is to keep consumer interests front of mind at all times and you’ll no doubt see this reflected in the six elements above. Whilst organisations will naturally want to comply to avoid the well-publicised fines, it’s fair to say that the transparent, secure and effective use of data has transformative potential for consumers and businesses alike. I believe this will be a significant motivating factor to get on the road to GDPR compliance.
In return we’re likely to see consumers sharing more data with the organisations they trust if they feel there is a fair exchange going on.
The GDPR is about much more than getting ready for next May– it’s forever. Now is the time to create a truly consumer-centric approach to data governance and strategy, and to secure your customer’s place at the heart of your data powered future
If you’d like to find out more about the GDPR, our hub hosts a number of useful resources as well as information on how Experian can offer support to organisations at any stage in their preparations.
Copyright ©, 2014-2017. All rights reserved.
Experian Ltd is authorised and regulated by the Financial Conduct Authority. Experian Ltd is registered in England and Wales under company registration number 653331.
Registered office address: The Sir John Peace Building, Experian Way, NG2 Business Park, Nottingham NG80 1ZZ.