The clock is ticking when it comes to EU GDPR compliance. With less than a year to go before it comes into effect, businesses around the world are revamping their data privacy posture to ensure they’re compliant with the regulations.
Earlier this year, it was confirmed that the forthcoming European data privacy directive would be transferred into UK law. So, despite Brexit, if you’re an organisation based in the UK, you still need to comply with GDPR regulations. British firms that fail to adequately protect their customer data could be fined up to £17 million, or 4% of global turnover, whichever is higher. The risks of inaction could be crippling.
Being vigilant and prepared is a business necessity. Yet the sheer complexity of the regulation’s requirements means this often a lot easier said than done.
If you’re still in the process of planning and testing for GDPR – don’t fear. Here’s a list of common issues that are catching many businesses unaware.
Record keeping
The regulation calls for organisations to keep a record on what data they keep, where it’s being stored and how it’s being used. For some businesses, this extra admin will mean altering their processes. For others, this may be the first time such an exercise is done. Depending on how many customers and databases are on hold, this could be an unexpectedly complex task.
Encryption and anonymisation of data
According to Article 32 of the regulation, organisations need to be able to encrypt and anonymise data. However, the article doesn’t include any recommendations of how exactly to do this. This means it’s up to businesses to decide which systems to use. It will mean shopping around and finding the best solution. Just remember to keep a record of this (see above).
Right to erasure
Article 17 of the GDPR cites a ‘right to erasure’, i.e. an individual’s right to for their data to be removed from an organisation’s systems if there’s no compelling reason for it to be there. However, given the number of databases (including third party databases) that a customer’s details may be spread across, this may be quite problematic to achieve. The GDPR states that it’s up to the data controller to take ‘all reasonable steps’ to inform other outlets about the request for erasure. However, these ‘reasonable’ steps are open to interpretation. This one’s ripe for lawyers to get involved – be warned.
Built-in privacy
With GDPR, all your systems should have privacy built-in as default. So, what was once considered to be best practice is now a mandate that should be easily demonstrable. Data protection officers, IT managers and customer service teams must work together so that privacy and security notices are clearly communicated and consent is willingly achieved.
Data requests
Customers will have the right to request a copy of the data organisations hold on them. Which is fine if it’s only a handful of customers – but could easily be a logistical nightmare if subject access requests (SAR) blow up. Have a plan in place that will protect your business against such risks.
The pitfalls are worrying, but awareness and preparation is key.
What’s important for all these concerns is for businesses to not see GDPR as a burden. Rather, they should take the view that it represents a huge opportunity to change the way privacy is maintained and transform how their customers see them.
You may also be interested in:
