GDPR: what does this mean for us?
GDPR, the new European data law, is looming, and if you’re anything like us, you’ll have been trying to get your head around this new piece of legislation, and what that means for companies that handle large amounts of data every day. In case you missed it – GDPR (or General Data Protection Regulation) is a new regulation implemented by the Council of the European Union, the European Parliament and the European Commission, that is intended to strengthen and unify data protection for all individuals within the EU. It aims to give citizens and residents control over their personal data, whilst simplifying existing data laws by creating a uniform set of regulations.
In short, this means that individuals will in theory gain control over how their data is stored, and how long companies can keep it for, and for businesses, it means they could be hit with large fines if they are not compliant (up to EUR 20million, or 4% of global annual turnover, whichever amount is higher, for serious infringements).
So, what are the key areas to focus on to stay compliant and avoid hefty fines? If you’re part of the Market Research world, it’s likely that you already have policies in place that dictate how you handle client data - at Big Sofa, we’ve been ISO27001 accredited for the past three years - but the new law means that now, whether you’re a client or an agency, you can’t simply assume your agency is taking care of this for you - you also have liability.
With this in mind, here are some additional key areas/themes to take a look at and improve policies around.
- Transparency and Consent
Consent is a huge area where the industry needs some tightening of practices. Now is the time to become completely transparent in how you’re collecting content, what you’re going to do with it and how long you intend to keep it. It can’t be legal jargon or small print – this information needs to be accessible and implied explicitly to customers. The right to withdraw consent or alter the data held needs to be stated with instructions on how to do so. If you’re collecting data directly you might want to think about including this in the consent forms that customers sign. If you are using others to collect data, you’ll want to check they’ve got this clear and understand what this means for what you can do with the data.
- Customer autonomy
Customers need to be able to get in contact with you or any of your partners/suppliers processing personal data to understand what data is being held about them and how it is being processed, free of charge. This is known as Right to Access, and means businesses must give customers access to their data if requested. This could mean including contact details on the consent form customers are sent, and/or having clear contact details displayed on your company website. Businesses now also need to ensure they’re in a position to respond to the Right to be Forgotten. This means that if the subject requests it, businesses must have a process in place that ensures they are able to remove all data from their and their supplier’s systems in a timely manner.
- Incident management
If something does happen (and unfortunately, even with the best will and practices in the world, you can’t protect yourself against all risk), it is important to have solid incident management practices in place. This means dealing with problems in a controlled way, ensuring they are appropriately reported, and triggering any necessary Breach Notifications. This means that if a breach impacts the rights and freedoms of those people whose data you hold, they and anyone else who might be affected (joint data owners/controllers) must be notified as quickly as is humanly possible.
- Privacy by design
Under GDPR, privacy by design is now a firm legal requirement, rather than just being a ’nice to have’. It is essential to apply privacy by design to all software that is built, and all systems and procedures (whether technical or operational). This means that data security must always be a consideration from the outset, rather than an afterthought.
- Self auditing
For most companies adept at handling consumer data, GDPR doesn’t impose dramatic changes to the way they handle data. What is dramatically different, however, are the sanctions that apply if it emerges that these practices are not being properly carried out. Because of this, it is necessary to have an internal team appointed to look after and safeguard your businesses data security. It is also important for businesses to ensure that all employees understand the implications of these new laws. This could mean rolling out company wide training, and socialising the implications of the new law to employees day to day working practices.
Whilst this can all seem quite daunting, it's worth remembering that GDPR will be beneficial to the public and how their data is used - this means that it will also be beneficial to you individually. Increasing public confidence in businesses' ability to protect and manage sensitive information is essential in order to continue growing the digital economy. Businesses will benefit from the greater support of the public if the public feel their data is being protected, and that there are strict measures in place to ensure this.