GDPR and Telecoms

Gamma’s overview and statement

The GDPR is coming and will have an impact on your business, are you ready?

The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). The government  has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

GDPR has implications for all organisations that collect information about customers resident in the EU, and whilst the telecommunications sector has been under strict regulation for a number of years there are some significant changes that the EU GDPR, and “the Applied GDPR” (the UK’s post brexit absorption of the directive), will bring to the sector.

This page will aim to outline some of the most significant changes that are incoming, and will outline Gamma’s stance on the General Data Protection Regulation.

binders icon for gdpr

What is the GDPR?

The GDPR (General Data Protection Regulation 2016/679) is a new EU Regulation which will replace the 1995 (DPD) which was implemented in the UK via the Data Protection Act 1998 to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018.

The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

ISDN to SIP

How will the GDPR impact telecoms?

Those businesses that transfer information for data warehousing, reporting and marketing purposes will now need to be ready to delete or ‘anonymise’ these data sets.

Another important area will be data portability. Telcos should be able to provide consumers a copy of their personal data in an electronic format. This means they need to keep this data in a structured and commonly used standard electronic format. A straight dump of tables from lots of disparate systems is unlikely to make the cut here.

person icon for gdpr

Will the GDPR apply to me?

The GDPR applies to ‘controllers’ and ‘processors’. The definitions are being aligned much more closely under the new legislation increasing the requirements that data processors currently need to adhere to under the existing DPA framework.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

Key provisions of the GDPR

cloud-security-compliance

Privacy by design and default

GDPR needs organisations to include privacy in their processes and systems by design. This means that all the company software and systems should adhere to the key tenets of GDPR. For instance, the software should be able to completely erase personal data if required by the data subjects.

Customers

Right to be forgotten

Organisations cannot hold any data without prior approvals and need to have strict mechanisms in place to delete data if requested by users.

Flexible Working

Right to Data Portability

GDPR allows data subjects to obtain and transfer personal data, from one data controller to another, in a safe and secure fashion. This provision allows individuals to leverage their personal data for their own benefit.

quick dark fibre set up

Explicit opt-in consent

GDPR strengthens the case for explicit opt-in consent from customers before using their personal data. Under the regulation, the data subject is completely in control of their own data. Organisations also need to make sure that they communicate clearly while asking for personal data and also clarify about its intended usage.

Harsh non-compliance fines

The regulation places strict demands on businesses as non-compliance will result in penalties of up to 4% of worldwide turnover or 20 million Euros, depending upon the nature of violation.

Reporting

Stricter rules for data breaches

Breach notification is another key provision of GDPR. Under this provision, it will become mandatory for organisations to notify the data protection authority and customers within 72 hours of a data breach.

Gamma’s position on the GDPR

As we approach May 2018, Gamma is focused on GDPR compliance.

We start from a strong standing point having achieved compliance in an already highly regulated telecommunications sector so we feel entirely confident that our processes and services will meet all GDPR requirements.

We have appropriate security processes around these databases and believe they are already GDPR compliant. Prior to and beyond the ‘go-live’ date for GDPR, we will continue to monitor our processes and controls to ensure full compliance with GDPR at all times.

Have a question about telecoms and GDPR? Get in touch:

book and hat icon for gdpr

Gamma’s preparedness

As a telecoms business Gamma has been under a specific and tight data-protection regime for a number of years, with mandatory reporting of any data-protection breaches to the information commissioner.

We have been operating under an environment similar to the GDPR for many years now, and we are confident than when the May 2018 deadline arrives that our systems & processes will be GDPR compliant.

tools icon for gdpr

Gamma’s service security

Whether we collect contact personal data from our customers, supplier or business partners, or process any personal data on behalf of our customers, we have stringent and adequate technical and organisational measures around such data and believe they are already GDPR compliant.

Keep up to date with the GDPR and it’s impact on telecoms on the Gamma Blog