Sunday, 6 May 2018
How-to: GDPR compliance here and now
This May is data protection month!
If you're operating any kind of organisation with an online presence within the European Union, then you should know that the new General Data Protection Regulations (GDPR) come into force on May 25th, bringing in new requirements and increasing the penalties for breaches.
Non-compliance after that date is not an option.
The GDPR replaces the Data Protection Directive, which was implemented by all 28 EU Member States in the late 1990’s; in the UK as the Data Protection Act 1998.
The GDPR is a Regulation, affecting all EU Member States without the need for any national legislation. It applies to all EU organisations, and includes those of the EU, if they collect data about EU citizens.
Given the recent large-scale data breaches occurring at Experian, Facebook and others, governments are keen to be seen doing something to rectify poor standards of data protection, not to mention the growing problem of unethical, unreasonable, exploitative and downright spam online marketing.
Personal data under the GDPR means "any information relating to an identified or identifiable natural person ('data subject'’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
This is a much wider definition of personal data than ever used before and includes online identifiers like IP addresses and cookies).
There is also a wider definition of what counts as 'special category' personal data – in other words sensitive data such as information relating to someone’s racial or ethnic origin, their political opinions, religious or philosophical beliefs, their sex life or sexual orientation.
The GDPR also focuses on the definition of consent. The new definition of consent is critical for anyone using a contact list to communicate with members, subscribers, customers of the general public.
Email marketing (currently governed by the Data Protection Act will be covered by the GDPR, also by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
The PECR restricts you from sending marketing emails unless individuals have 'opted in' to receiving them. From May 25th, 2018, the PECR will draw its definition of 'consent' from the GDPR. There are several posts coming up about consent.
The cost of non-compliance
Improper collection, usage, storage and disposal of personal data are all ground for an investigation by EU-member agencies.
From 25 May 2018, data supervisory authorities such as the UK’s Information Commissioner’s Office (ICO) will be able to issue fines of up to four per cent of your annual global turnover, or €20 million (whichever is higher) for GDPR breaches.
Unlike the Millenium Bug, becoming GDPR compliant isn’t a one-off project, it requires ongoing management and record-keeping. New policies and procedures are required which will inform data protection at the point of capture and ongoing throught to cahnges in consent, data retrieval, update, removal and disposal.
Standby, it's going to be a busy month. RC