The General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018: new laws intended to standardise data protection across Europe.
While data protection and privacy guidelines have existed across Europe since 1980, they have never been implemented consistently, even after the 1995 directive. However, since then, the widespread adoption of internet technologies and a trend toward cloud-based infrastructure, have changed the way data is processed, stored and transferred. To keep pace with these rapid changes and to protect individuals, new data protection laws were required – enter the GDPR. Now, any organisation operating inside the European Union (EU) must ensure compliance with this legislation.
As a software vendor, we're acutely aware of the challenges associated with the GDPR. We've had to think about getting ahead of our customers for hosted solutions; ensuring our partners are compliant; reviewing our data security; and, getting records in order across multiple systems.
In some way, the whole experience reminded me of the run-up to Y2K, but for one small difference. Unlike Y2K, GDPR compliance isn't a one-off software patch. There wasn't a combined sigh of relief the 26th of May. Instead, GDPR compliance is a long-term obligation, with attention-grabbing penalties.
Here's a reminder of those GDPR administrative fines:
The higher of €10 million, or 2% annual global turnover for data breaches or not meeting your obligations
The higher of €20 million, or 4% annual global turnover for where someone’s privacy has been infringed
One of the major reasons that there weren’t any widespread failures associated with Y2K is that those organisations, their Boards, and their IT Departments investigated, planned and acted to prevent it being a problem.
Likewise, the old adage of ‘fail to plan, plan to fail’ is all too pertinent here too.
If you didn’t plan properly in the run-up to May the 25th, you’re likely not acting in compliance with the GDPR now. And while nothing has ground to a halt, you're running the risk of landing your business in hot water.
So, how compliant are you? Well, here’s a quick test. Do you know:
- What data your organisation stores on customers?
- Where your customer data is stored, including backups?
- How well your current processes work and who manages them?
- How to inform your customers of their existing rights under the DPA?
- What would happen if you just deleted the record – many systems have linked records (e.g. parents and children)?
- Whether other regulations also affect the data you hold (especially true for healthcare data)
If you can’t answer yes to one or more of these questions you have a problem. You’ll find it difficult to develop a data protection plan. What's more, putting effective processes in place will prove almost impossible. After all, this wasn’t just a software update. It’s a whole change to the way your organisation stores, processes, and protects customer data.
One of the biggest challenges I’ve encountered is when data is stored across disparate systems. For instance, you hold data in five different systems, you need to decide if you want to maintain consent details across five systems or consolidate to a single data store. And if you opt to manage consent across multiple systems, which one and do you check when you need to establish consent status.
The issue of consent along with the right to erasure (or the right to be forgotten as it is popularly known) has attracted a lot of attention, at least as far as IT systems are concerned. In the first instance, consent is primarily a process issue or a simple flag within appropriate systems to be checked. While, erasure, requires the removal of a customer’s details entirely.
Put into context, most systems will allow you to delete customer data. However, if you have a lot of data spread across applications or need to batch delete data on a time threshold to meet your retention policy (say delete all non-active contacts over a year old), unless you have the right systems in place, you may need a small army of people deleting records to maintain compliance.
This is one of many examples of how GDPR is affecting organisations. As with most projects, GDPR needs legal advice; IT skills; marketing skills; HR involvement. Having the facts, creating a plan and finding the right people can mean the difference between success and failure. If you are one of those companies that felt overwhelmed in the run-up to May 25th and adopted a wait and see attitude, it’s time to get your house in order.
At the bottom line, GDPR is going to affect almost every business in the UK, the EU and the world at large. If you’re still not sure what to do next, contact us.