In May 2018 the European Union’s new General Data Protection Regulation (GDPR) legislation will be brought into action which will have a far-reaching impact upon the ways in which both small-scale businesses and large corporations collect, store and use their customers’ data.
Despite this significant change, studies show that many companies remain unaware about the consequences of the GDPR. In fact, a Dell and Dimension Research study found that out of 800 IT and business professionals responsible for data privacy at companies with European customers, 80% of these businesses knew little about the GDPR at all. Most worryingly, studies report that 97% of companies are inadequately prepared for when the GDPR comes into force on 25th May 2018 .
With the official GDPR deadline rapidly approaching, our Cloud Ten team recognise the need for businesses to act swiftly yet efficiently. We have created the following article to help your company implement a GDPR plan which will correctly handle your customers’ data and uphold your brand reputation.
Initially suggested by the European Commission in January 2012 and first adopted on 27th April 2016, the GDPR is a set of proposals intended to serve as a comprehensive reform of the European Union’s (EU) 1995 data protection rules. The GDPR aims to strengthen and unify data protection rights for all individuals in the EU, to simplify the regulatory environment for international businesses and boost Europe’s digital economy as a whole .
Under this new GDPR legislation individuals will have the right to;
Have their data deleted: Known as ‘the right to be forgotten’, companies must delete customers’ personal data if they withdraw their consent at any given time.
Access personal data records: Individuals will have the right to know how their data is stored and used. Copies of their personal data must be available on request, free of charge.
Transferrable data: Individuals will have the right to transfer their personal data between service providers.
Inform about data collection: Businesses must inform clients of data collection in advance and receive approval before any data is processed. Consent cannot be implied; it must be freely given.
Correct information updates: Organisations must update and correct any incorrect or incomplete customer data.
Data breach notifications: Any breach of confidentiality concerning client data must be reported to all individuals involved within 72 hours of confirmation of said breach.
Restricted processing: Individuals will be able to request that their data be withheld from being processed. Client data can be maintained but not processed in any way without each client’s personal approval.
Objection to direct marketing: Individuals will have the right to withhold the processing of their data for direct marketing purposes. No exemptions to this rule will be permitted, this right must be made clear to clients from the start of all business communications and data must be withheld immediately upon client request.
In addition to protecting your customers’ personal data, companies must remain in compliance with new GDPR legislation in order to avoid data breaches and heavy fines ranging from 10,000 Euros up to 4% of their worldwide turnover . Moreover, infringing your customers’ data privacy rights could potentially cause irreparable damage to your brand’s reputation.
Organisations required to adhere to the GDPR are those who offer services to EU citizens, operate within the EU market and handle the personal data of EU citizens. Unfortunately, many of these businesses remain woefully underprepared. Eric D’Angelo, Regional Sales Director of Asia Pacific and Dell Security, has highlighted how these organisations need to take action now in order to be sufficiently prepared come 25th May 2018;
“To be in compliance, both European organisations and those outside of Europe that do business there must adopt an adaptive, user-centric, layered security model approach around the tenets of prevent, detect, respond and predict…The scale, complexity, cost and business criticality of GDPR means that it will take at least two years for most companies to achieve full compliance. Most companies need to start now”.
To ensure that your organisation complies with GDPR legislation, listed below are some essential best practices for protecting your consumers’ personal data and safeguarding your organisation from incurring penalties;
Hire a Data Protection Officer (DPO) – Can be an existing employee or one that is externally appointed. The role of a DPO will be to monitor internal compliance to GDPR legislation and to inform and advise your company on how to correctly adhere to data protection regulations. DPOs will advise your company about Data Protection Impact Assessments (DPIAs) and serve as a ‘contact point’ for supervisory GDPR authorities. 
Take stock of all client data – Track and record all your clients’ personal data. Ascertain where sensitive, confidential records are stored and who has access to them (including archived data).
Bolster your data security policies – Review your existing security protocols and install new firewalls and sophisticated anti-virus software to prevent and contain potential data breaches. Devise a communications plan which swiftly notifies consumers in the event of a data breach. If work is outsourced, external suppliers must be subject to the same stringent data security protocols to ensure brand integrity.
Implement data handling policies and procedures – Establish protocols to ensure client consent is legally obtained before you process their personal data. Outline how their identification will be verified, how their data will be securely transferred and how data deletion requests will be swiftly and thoroughly processed.
Update your company’s documentation – Ensure all your organisation’s privacy statements, terms and conditions policies and disclosure agreements comply with GDPR legislation. Implement a clear process through which individuals can explicitly consent to the acquisition and processing of their personal data.
Control access management – Regularly review the access rights of your employees and contractors to ensure they have legitimate permission and a just requirement to access the personal data of EU citizens.
By following the best practices outlined within this article, your organisation will be sufficiently prepared to comply with the new GDPR legislation when it comes into force on 25th May 2018. These pre-emptive measures could save your company substantial funds and resources in the long term as well as safeguarding your brand reputation and retaining the trust of your loyal client base.
Interested in learning more about GDPR best practices? Please feel free to contact our Cloud Ten team today for additional guidance and support.