With GDPR coming into force so soon, businesses are rushing to get the right information; a problem compounded by scary stories of hefty fines, and a zero-tolerance policy from data watchdogs. There is so much misinformation out there that the UK’s Information Commissioner Elizabeth Denham has written a series of blogs to sort the fact from the fiction, and three of the main GDPR myths and misconceptions have been outlined in this blog.
But, aside from busting myths, there are some core aspects of GDPR that your business needs to know about today. It’s worth checking that you’ve considered all of these even if you believe your business is GDPR compliant already. According to the Federation of Small Businesses, the majority of SMBs are unprepared for GDPR and a third have not updated their IT infrastructure and business in order to make sure they comply with GDPR before the deadline.
GDPR: what are the individual’s rights?
Customers will welcome the introduction of GDPR as it gives them a lot more control over how their personal data is used. This means businesses have to be very transparent about data usage, and obtain consent about the ways data is being used. In the past, with the EU Cookie Law, and general terms and conditions, businesses would be wary of annoying customers by letting them know of their rights. Now, it’s in the businesses interests to be as clear as possible.
Consumers value their privacy. A KPMG International report found less than 10% of consumers felt they had control over the way organisations handle and use their personal data, and 82% are not comfortable with the sale of their data to third-parties even if they get speed, convenience, product range, home delivery and price comparison offers.
The GDPR provides the following rights for individuals:
- The right to be informed – individuals have the right to be informed about the collection and use of personal data, including the purposes for processing personal data, retention periods for that data and who it will be shared with.
- The right of access – individuals have the right to confirm their data is being processed; access their personal data, and some additional information outlined in Article 15.
- The right to rectification – individuals can have inaccurate personal data rectified, or completed if it is incomplete.
- The right to erasure – better known as ‘the right to be forgotten’, individuals can request to have personal data erased.
- The right to restrict processing – individuals can request the restriction or suppression of their personal data. This would mean a company can still store it but not process it.
- The right to data portability – individuals should be able to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
- The right to object – individuals can object to direct marketing, processing for purposes of scientific or historical research and statistics, or processing based on the performance of a task in the public interest.
- Rights in relation to automated decision making and profiling – organisations can only carry out automated individual decision-making and profiling where the decision is necessary for the entry into or performance of a contract, authorised by a union or member state law applicable to the data controller, or based on the individual’s explicit consent.
Understanding the data lifecycle
Once you’ve ensured that your business has considered all of the individuals’ rights, you need a clear plan of how your business will be collecting and processing data. Here are some key points to consider:
- Decide when the data is created and how to create it with an individual’s consent.
Questions to ask: Is the data collected online or through a survey? What does the data include, is any of it sensitive/personal? Is this secure? Have you been clear about how you’re going to use the data? Have you been clear in obtaining the consent of the user?
- How and when to store it?
Questions to ask: Who is the data storage provider(s)? Are they GDPR compliant? How does the data go from being collected to stored? How secure is the data when it is stored? Is personal and sensitive data stored in the same place as other data? Who can access this data and how?
- How and when to use it?
Questions to ask: What can we use this data for? Is it necessary to use this data for our business? What tools do we need to make use of this data?
- How and when to share it?
Questions to ask: What third-parties are allowed access to this data? Has this been communicated to the individual? Is the transfer of the data secure? Is the third-party GDPR compliant?
- And how and when to archive or destroy it?
Questions to ask: Is this data necessary to store? Is this data a risk to store (if so, how can it be securely destroyed without being reproduced?). Will the data be useful at a later point? If it is used later then has this been communicated when gaining consent from the individual?
By considering all of these factors, a data lifecycle can enable you to understand the value of data to your business. It can allow you to reduce data storage costs, and ensure that you’ve considered consent at every stage of data processing. It also means you have considered the right partners and vendors to work alongside, and the right tools and processes to transfer, share or erase data.
What are “subject access requests” and “index engines”?
Now that you’ve considered individuals’ rights and a data lifecycle, the next thing worth considering to help your business to comply with GDPR are index engines.
Put simply, if an individual wants to know what parts of their personal data you’re holding or processing, then they can make a request to do so – this is called a subject access request. However, this seemingly simple request can be difficult to respond to if your business has archived some data somewhere on tape, in the cloud, in old computer systems or remote data centers.
An index engine enables you to quickly index, classify, find and manage the data you hold – no matter where they are stored.
To make this a speedier process, you could consider using a fast wide area network (WAN) to rapidly fulfil a subject access request. Being able to respond efficiently to subject access requests falls into GDPR compliance – it must be provided without delay and within one month of receipt at the latest.
How can network technology help you achieve GDPR compliance?
First and foremost, it goes without saying that whichever network technologies you are considering, they should be GDPR compliant themselves. Network and cloud providers have a duty of care to provide their customers (ie. your business), with a clear view of the data they transport and store. When it is under their control, they need to ensure it is safe, secure and doesn’t end up in the wrong hands.
Secondly, there are types of products that come equipped with features that ensure data remains secure while in transit, and that it is able to be transferred swiftly, even if it is being moved as part of a big batch of data.
SD-WAN, for example, adds a layer of data protection at the edge of the network, meaning that a business can create different security zones for trusted and untrusted internet connections. SD-WANs can help to reduce your risk by encrypting untrusted networks to protect against unauthorised access and data breaches.
Read our blog to find out how Cisco is getting its products ready for GDPR.
What happens if your business doesn’t comply with GDPR?
As you may have heard, failure to comply can lead to fines and other sanctions for your business.
There are two levels of fines: breaches of controller or processor obligations will be fined up to €10m or two percent of annual global turnover of the previous year, whichever is higher.
Breaches of data subjects’ rights and freedoms will result in fines of up to €20m or four percent of annual global turnover of the previous year, whichever is higher.
The value of the fine is not clear-cut and it would involve an investigation by the country’s data watchdog. They would determine the behaviour of the organisation and whether GDPR compliance had at least been attempted. The time scale of reporting breaches will also help to determine whether the fine can be reduced or not.
In some instances, a fine may not be issued and instead the data watchdog could issue warnings and reprimands, impose a temporary ban on data processing, demand data erasure or suspend data transfer to third party countries.
GDPR compliance: next steps for you and your business
To ensure that you avoid GDPR fines and reap the rewards of the new regulations, begin the GDPR compliance process by reading the ICO’s 12 steps to prepare your business for the regulations, and by using the organisation’s useful GDPR self-assessment toolkit.
Check out our resource page packed with myth busters and live discussions with data protection experts to help you crack the code of GDPR. You can also help to protect your organisation against data breaches by reading our guide to setting up an incident response program.