The deadline for the European Union’s General Data Protection Regulation (GDPR) is looming. As of 25 May, anyone trading with EU businesses, marketing to EU citizens, or holding the personal data of even a single European national, needs to be fully compliant. This means making major changes to how one captures, processes and stores consumer data, with a strong focus on data protection and archiving practices. Ignore GDPR, and you run the risk of hefty fines (up to €20 million or 4% of annual global turnover, whichever is greater), a loss of consumer trust, and untold damage to your reputation. Are you ready to face GDPR head-on? If you have been readying yourself for compliance to our own POPI (Protection of Personal Information) act, then you should not be far off complying with GDPR which is based on similar principles.
The requirements of GDPR
Globally, recent years have seen some of the worst data leaks and malicious hacks in history. As a result, people are far more concerned about their fundamental right to privacy and have also become more vigilant and aware of their liberties when it comes to their digitally-gathered personal data, and what businesses are doing with it. GDPR outlines a new set of regulations that are designed to prioritise the rights of EU citizens and give them more control over their private data, including valuable and sensitive information such as financial details, phone numbers, addresses, religious and political views, and much more.
Regardless of where a business is located, if it collects or processes the personal information of any EU resident, GDPR applies. In this regard, it’s imperative to understand what data you collect, where it is stored and how it’s being used. The legislation highlights two main data rights for customers: the right to be forgotten, where a customer can request their data be deleted; and the right for data portability, where a customer can request that their data is moved from one company to another. Customers are further protected in the form of necessary updated privacy notices, which need to be worded in clear, concise and plain language that anyone can understand. By outlining exactly what you’ll be doing with the data, a strong focus on transparency is emphasised, and customers feel more at ease.
Another important aspect of the regulation involves data breaches. Businesses are required to notify authorities of any kind of cybercrime within 72 hours. In an effort to minimise exposure to these kinds of attacks, a company is encouraged to only collect, share and keep the data that they really need, and to ensure that it is effectively searchable in case they are called upon to provide it.
The importance of change and compliance
Any South African company needing to align itself with the GDPR requires the appropriate internal processes and technical capabilities to be able to execute these changes correctly. For example, a data processing company, such as Connection Telecom, would need to sharpen its security controls and data breach continuity plans, and seek advice from a specialist attorney that can assist with updating its policies and documentation to ensure informed consent and water-tight compliance.
The relationship and transfer of data between data controllers and data processors is an important part of GDPR, and businesses need to work together to ensure consumer information is secure. Companies should also consider assigning dedicated individuals or teams to focus on GDPR, to ensure that data is accurately documented, safely stored, and permanently deleted – not to mention that practices are regularly tested to ensure optimal protection.
Beyond the negative financial implications of non-compliance, there’s another important reason for businesses to implement these data security and integrity practices: a digitally-savvy generation of customers is better informed than ever before, and the reputational risks associated with irresponsible handling of data are known all too well. Consumers expect ethical behaviour and utter transparency, even from the largest corporation.
Finally, it is worth noting the positives of GDPR compliance. By gaining a true understanding of a business’s data practices, more effective business decisions can be made in the long run. It’s not just a legal responsibility, it’s an opportunity to do better business – and organisations across the globe would do well to embrace it with open arms.
By Rob Lith, Director: Business Development at Connection Telecom