Research suggests that many businesses are still completely unprepared for the new General Data Protection Regulations (GDPR) coming in effect on 25 May 2018. The regulations are designed to harmonize data privacy laws across Europe, protect EU citizens data and reshape the way organizations approach this data. It’s very important to know about the changes, because non-compliance means heavy fines for your business.
Does this concern me?
Almost certainly. Pretty much every business today has to deal with personal data, or at least maintain a customer database. Here at Weemss and Evalato (formely Weemss Awards Management) we want to make sure you are always riding the crest of the wave, so we researched the subject and summarized the info for you.
First off, when it comes to the personal data of your customers, your business is a data ‘controller’, a ‘processor’, or both.
Controller refers to the person or business that decides what pieces of information are collected, for what purposes, and in what ways it’s being processed. According to EU law, the controller’s obligations include, but are not limited to:
- provide clear information to your customers about the personal data you collect and for what purpose;
- protect personal data against accidental loss, unauthorized access, or unlawful processing;
- written agreements with processors that are given access to your customer’s data, that require them to act only according to your instructions and make sure they comply with all data protection requirements.
- informing the data subject within 72 hours of first becoming aware of a data breach.
An organization can be both controller and processor.
Processor is the person or business that processes personal data for the data controller, like data analytics providers, or storage services. If you, as a controller, are using two separate providers for such services, both of them are considered ‘processors’ of the same personal data. The requirements for processors include, but are not limited to:
- process data fairly, lawfully, and for legitimate purposes;
- implement all appropriate security measures to protect the personal data;
- informing the controller immediately of any data breaches.
- keep internal records of all data processing activities
The definitions under the new GDPR can be difficult to translate into today’s complex business relationships. The important thing here is that the regulations apply to both controllers and processors, which means it concerns your business.
Your customer’s data and Weemss & Evalato
When it comes to your events in Weemss or awards in Evalato, the platform is a data processor because it collects and processes your customer’s data as part of the service we provide to you and your customers. You are still the sole owner of that data, we just store and process some of it – for example, to generate customer tickets, show you analytics data, etc.
Your events and customers are in good hands, because data safety has been a cornerstone of our service since day one. What changes with the new regulations is now you have a responsibility to inform your customers that their information is processed by Weemss (as a processor). You should do the same for any service that processes their data: inform them who and for what purpose uses their data.
Although the key principles of data privacy still hold true to the old directive, there are some notable changes:
The biggest change is probably the extended jurisdiction of the GDPR. Starting 25 May 2018 the rules for data protection will apply to all companies processing personal data of EU citizens, regardless of the company’s location.
The GDPR will also apply to the processing of personal data for EU citizens, where the activities relate to: offering goods or services (free or paid) to EU citizens, as well as monitoring of behaviour within the EU. Non-EU businesses that process EU citizens data are required to appoint a representative in the EU.
The conditions for consent have been strengthened as well. Companies can no longer use long Terms & Conditions full of legal language that’s hard to understand, to get a person’s consent to use their data. Instead, the request must be easily accessible and presented in clear and plain language. The purpose for data processing must also be attached to that consent. The consent must be clearly distinguishable from everything else and it must be as easy to withdraw as it is to give consent.
More power to the data subject
Data breach notifications will become mandatory where a breach is likely to “result in a risk for the rights and freedoms of individuals”. Data subjects will have the right to obtain from the data controller confirmation whether their personal data is being processed, where and for what purpose. Additionally, data subjects can now receive the personal data they have previously provided in a ‘commonly use and machine readable format’ and transmit that data to another controller.
Right to be Forgotten
Data subjects also get the right have their data erased by the controller, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or data subjects withdrawing their consent.
Privacy by Design
Privacy by Design becomes part of the legal requirements with the GDPR. This means the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, you have to implement appropriate technical and organisational measures to meet the requirements of the new regulations and protect the rights of data subjects.
Controllers are required to hold and process only the data absolutely necessary for the completion of its duties (data minimisation). Additionally, they have to limit the data processors’ access to that personal data.
Penalties for non-compliance
If your business is found to be in breach of GDPR you face a hefty fine. The maximum can be up to 4% of your annual global turnover or €20 Million, whichever is greater. The fines are imposed for infringements like:
- insufficient customer consent to process data;
- violations of the Privacy by Design concept;
- not having your records in order;
- failing to notify the relevant authority and data subjects about a breach.
How to prepare
- It’s important that you have a clear picture of your network, as well as what kind of data you control and who has access to it. Access to that data has to be highly restricted and monitored at all times to avoid unauthorized access.
- Check and assess the security measures you have currently in place, including technology, processes, and people with access to the data. If necessary, take additional measures to avoid data breach. Make sure you have ways to find an intruder in the system, re-trace their activity, remove them and block the vulnerabilities.
- This article is by no means extensive, it’s merely an overview of the new regulations. Ensure you’re thoroughly familiar and compliant with everything that’s in the GDPR. Review your privacy notices and make any necessary changes there as well.
The General Data Protection Regulations are just around the corner. If your business is a controller or a processor of data, which it most likely is in some capacity, make the necessary steps to comply with the new regulations as soon as possible. First, because you probably don’t want to get fined, second, because it’s always a good idea to improve your security measures, and third, your customers will appreciate knowing their personal data is well protected.