Written by Russell Persand-Carter, Identity Consultant at Innovate Identity
This month the new General Data Protection Regulations (GDPR) were adopted by the EU council and Parliament with a view to simplifying regulations and bringing a consistency to data protection across Europe. The GDPR is an update and replaces the previous Data Protection Directive, 1995 and in doing so this also makes it easier for Non-European businesses to comply and opens up new opportunities to trade globally through a common framework. Some might say a double edged sword as the GDPR also introduces stricter penalties for non-compliance with some pretty heavy fines potentially reaching more than 4 times of global turnover. Ouch! Clearly ignore at your own peril.
With a 2-year transition period until the new regulations officially take effect, it’s understandable that some businesses may hold off implementing the changes into their privacy and data security policies and operational procedures in favour of other pressing business priorities. But can you really afford to? Data breaches continue to make press headlines worldwide and business reputations are being challenged in an increasingly competitive landscape.
Consumers are increasingly aware of the inherent risks of sharing their personal information online with recent reseach from Ofcom finding that three in ten (28%) of those who use apps now have concerns, compared to two in ten (20%) in 2013 — with security/fraud or privacy (20%) being the most common concern. For those ahead of the curve it could well be savvy thinking to get your skates on with meeting obligations sooner.
So what does it potentially mean for your business and more importantly what should you do?
1. Build services from the ground up with data privacy in mind – you’ll increasingly hear the term ‘Privacy-by-Design’ which in principle means when designing your online services, how you handle and protect your customer’s personal data should be front and centre of your customer experience. A Privacy Impact Assessment will help you understand where you are today and help you understand any points of risk or potential exposure. By avoiding to cut corners and making data privacy inherent to your business processes earlier should pay dividends in both the short and longer term. You can almost guarantee your competition will see it as an opportunity to differentiate early.
2. Getting your customer’s consent in collecting their data is fundamental – under the new GDPR you’ll need to be crystal clear and transparent as to which bits of personal data you’re collecting on your customers and for what purpose. A simple pre-ticked box for consent and job done will not cut it in the new world with consent needing to be ‘clearly distinguishable’ in the customer process. GDPR stipulates that for children under 16 consent from the parent or guardian will be required for online services which in itself will be challenging. Terms and Conditions and privacy notices will need to be revisited for many businesses to ensure compliance.
3. Data Protection Officer…you don’t have one? Get one! – a new multi-skilled role has been proposed for all businesses processing or controlling customer data. An expert in data security, IT processes and business continuity will act as your ‘go to’ person for data protection issues and risk prevention. You may need to move quickly as those with such broad skills could be in short supply as many organisations seek to fill the role. Alternatively, third parties with relevant skills can support businesses in achieving compliance.
4. The horror of data breaches and managing them well – Ok not Amityville as such but it can seriously raise blood pressures and create sleepless nights for those carrying the can. Under the GDPR, the designated Data Protection Officer carries the responsibility to report data breaches at the earliest opportunity. The seriousness of a data breach cannot be underestimated in today’s hyper connected world. For some businesses it can be devastating to their integrity leaving them in tatters and potentially their sustainability leaving some reputations irreparable, as recent high profile breaches from Talk Talk, Ashley Madison and countless other corporates have experienced. Also, consumers are growing increasingly concerned about the associated risk of exposure and as such asking questions of their providers in collecting their data as the recent Ofcom report shows.
Selling a customer’s personal data online on the “Dark web” is now a thriving industry with online hacker retail stores growing up and establishing, in some cases, refunds and money back guarantees to those interested. Data Privacy is a growing concern for each and every one of us, highlighted by the recent Ofcom report, and the GDPR seeks to strengthen and unify data protection standards across Europe and sets the stall out to build best practice more widely.
Innovate Identity are already working with businesses across Europe to develop and implement best practices in privacy and data security helping our customers to reduce risk and protect their customer’s, their data and their business.
Our advice is to act now as prevention will always be better than cure…it’s best to imagine it’s your own data and ensure your business practices are above and beyond the expectations set out in the regulations. For each of us, our identity really is a most precious thing!
Get in touch to find out how we can help you comply with the GDPR by emailing us at firstname.lastname@example.org