The General Data Protection Regulation (GDPR) presents a challenge to all businesses with EU customers: comply with stringent rules regarding data privacy and protection, or face severe fines – up to €20 million or 4% of global turnover.
Achieving data compliance is far from a simple tick-box exercise and will require board-level input in many cases. As privacy and personal data protection are subjective and dynamic concepts, businesses must continuously review how they gather, process and protect personal data. Ongoing risk management will also be necessary as business processes are exposed to scrutiny from customers, employees and regulators. trust-hub is designed to simplify data compliance, automate individual rights management and improve customer experience, with minimal disruption to existing processes or systems.
GDPR will enter into force on 25 May 2018 and the countdown to compliance has already begun. Read on to find out if you’re ready.
Identifying the personal data you hold and where it resides is the first step on the road to compliance. GDPR has expanded the definition of personal data so it’s likely that you’re processing more than you think. The new definition encompasses online and device identifiers, cookie IDs, IP addresses and location information. Genetic and biometric data is now classed as ‘sensitive’ personal data.
GDPR introduces more stringent rules in relation to data protection and privacy. All systems and services that process personal data must be designed with data protection in mind and specific technical and organisational measures must be implemented to safeguard this information during processing. GDPR explicitly champions encryption and pseudonymisation, techniques that reduce the risk associated with data processing, and regulators may grant more leeway to controllers who adopt these practices.
Once you’ve identified personal data, the next step is categorising and auditing this information to determine what should be kept or erased based on business needs and consent status. Further dimensions to consider are the frequency with which the data is required within the business and the risk of holding this information in its raw, unencrypted state.
The individual is at the heart of GDPR. Both your employees and customers will have new powers to request detailed information on how their data is used, stored and protected, free of charge. They’ll have the right to access, port and even request erasure of their personal details.
Managing consent will become a more complex process under GDPR. Consent needs to be free, specific, informed and unambiguous. Controllers must clearly state their intentions when processing an individual’s data and request consent each time they do so. Processes for obtaining consent on behalf of children are also stricter.
GDPR can be more than a tick-box exercise in compliance. It represents an opportunity to achieve operational best practice and gain a commercial advantage. Implementing the systems and processes required by the regulation in the right way can help organisations define and manage the risk and reward associated with processing personal data, and drive efficiency.
What’s more, choosing a solution that balances data protection with accessibility will enable organisations to match the pace of change in the digital marketplace, seize opportunities and meet rising customer expectations. As compliance with GDPR is mandatory, the question is not whether you comply it’s how you comply. Ready to get started?
Stay informed and in-the-know by visiting our Resources page, updated regularly with the latest News, Blogs and Resources as well as our Platform Demo.
Keep up-to-date on the shifting data protection and privacy landscape with views and analysis from the trust-hub around legislation, emerging tech and more.