In the middle of 2018, it seemed the only topic being talked about, prepared for and worried about was GDPR – the General Data Protection Regulation. This regulation was introduced by the Council of the European Union, the European Parliament and European Commission in order to give European citizens a higher level of control regarding their personal data.
All organisations now need to be fully compliant, ensuring any personal data they collected prior to the May 25th 2018 deadline is accompanied by consent from the individual for the organisation to retain it and use it in the way expressly permitted by the individual. This covers employee, client and customer data so is relevant to all businesses.
The type of data that the GDPRs protects are names, photographs, email addresses, IP addresses, medical information, bank details and social media posts.
There are penalties for companies who do not comply with the regulations and also for those who do not deal with any data breach in a correct and timely manner. The biggest named example of this is British Airways, who reported a data breach incident to the Information Commissioner’s Office in September 2018, where customers were diverted to a fraudulent site where hackers then harvested personal data and financial details from 500,000 customers. The ICO fined BA for this customer data breach to the tune of £183m.
After announcing the fine for British Airways, the next day the ICO imposed a fine of £99m to the Marriot hotel chain for failing to protect the data of 339 million customer records.
If a data breach should occur, the GDPR specifies that companies must provide adequate notification. Your company would have 72 hours to notify the appropriate data protection agency and must inform all affected individuals without undue delay.
You must ensure people have chosen to opt-in to receive emails from your company and be sure to give them a clear instruction on what to do if they want to opt-out at any time. When visitors to your website or customers give you permission to record their data, you need to also make a record of when they opted in and keep this data secure. People can submit access requests to your business to find out what data you hold about them.
Security on websites is of key importance so do check that your website has a current SSL certificate (you’ll see a padlock symbol in the address bar if so). If not, get your web team onto it immediately.
If a company is found in breach of GDPR they can be fined up to 20million Euros or 4% of their turnover. It is not a law worth flouting so do ensure your business is up-to-date and compliant with the GDPR.
Check your company’s GDPR procedures for the following:
Deleting personal data
Providing data following an access request
Do you need to obtain parental/guardian consent for data of under 16s?
Check your plans and procedures for detecting, reporting and investigating and data breaches.
Ensure your current privacy policies are clear and correct.
www.ico.org.uk continually updates its website with reference to GDPR and is a useful resource.