The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
GDPR has implications for all organisations that collect information about customers resident in the EU, and whilst the telecommunications sector has been under strict regulation for a number of years there are some significant changes that the EU GDPR, and “the Applied GDPR” (the UK’s post brexit absorption of the directive), will bring to the sector.
This page will aim to outline some of the most significant changes that are incoming, and will outline Gamma’s stance on the General Data Protection Regulation.
The GDPR (General Data Protection Regulation 2016/679) is a new EU Regulation which will replace the 1995 (DPD) which was implemented in the UK via the Data Protection Act 1998 to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018.
The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
Those businesses that transfer information for data warehousing, reporting and marketing purposes will now need to be ready to delete or ‘anonymise’ these data sets.
Another important area will be data portability. Telcos should be able to provide consumers a copy of their personal data in an electronic format. This means they need to keep this data in a structured and commonly used standard electronic format. A straight dump of tables from lots of disparate systems is unlikely to make the cut here.
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are being aligned much more closely under the new legislation increasing the requirements that data processors currently need to adhere to under the existing DPA framework.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
GDPR needs organisations to include privacy in their processes and systems by design. This means that all the company software and systems should adhere to the key tenets of GDPR. For instance, the software should be able to completely erase personal data if required by the data subjects.
Organisations cannot hold any data without prior approvals and need to have strict mechanisms in place to delete data if requested by users.
GDPR allows data subjects to obtain and transfer personal data, from one data controller to another, in a safe and secure fashion. This provision allows individuals to leverage their personal data for their own benefit.
GDPR strengthens the case for explicit opt-in consent from customers before using their personal data. Under the regulation, the data subject is completely in control of their own data. Organisations also need to make sure that they communicate clearly while asking for personal data and also clarify about its intended usage.
The regulation places strict demands on businesses as non-compliance will result in penalties of up to 4% of worldwide turnover or 20 million Euros, depending upon the nature of violation.
Breach notification is another key provision of GDPR. Under this provision, it will become mandatory for organisations to notify the data protection authority and customers within 72 hours of a data breach.
As we approach May 2018, Gamma is focused on GDPR compliance.
We start from a strong standing point having achieved compliance in an already highly regulated telecommunications sector so we feel entirely confident that our processes and services will meet all GDPR requirements.
We have appropriate security processes around these databases and believe they are already GDPR compliant. Prior to and beyond the ‘go-live’ date for GDPR, we will continue to monitor our processes and controls to ensure full compliance with GDPR at all times.
As a telecoms business Gamma has been under a specific and tight data-protection regime for a number of years, with mandatory reporting of any data-protection breaches to the information commissioner.
We have been operating under an environment similar to the GDPR for many years now, and we are confident than when the May 2018 deadline arrives that our systems & processes will be GDPR compliant.
Whether we collect contact personal data from our customers, supplier or business partners, or process any personal data on behalf of our customers, we have stringent and adequate technical and organisational measures around such data and believe they are already GDPR compliant.