The General Data Protection Regulation (GDPR) came into effect last year giving pressure to data brokers and tech firms to adequately protect, process and store customer information. Developed by the European Parliament and the Council of the European Union, the new EU data regulation laws threaten businesses with hefty fines of roughly 20 million euros or four percent of their turnover should they fail to adhere to the new legislation geared towards giving people more control over their personal information.
There are also mandatory breach notifications where businesses are required to notify the Information Commissioner’s Office within 72 hours in the event of a data breach. In general, GDPR provides individuals with an option of whether to allow businesses to access their information. Unlike other data protection laws, the onus is now on these companies to contact customers and ask for their permission to do so.
GDPR also helps streamline the regulatory environment by complying with EU regulations. In other words, any business that crunches and hoards data of EU citizens within EU states must adhere to the GDPR even if they do not have a business presence within Europe. The most particular criteria for businesses required to comply are the following.
- A presence in an EU nation
- Has more than 250 employees
- No presence in an EU nation but processes personal data of European residents
- Organizations with less than 250 employees but have data processing methods that affect the rights and freedom of data subjects
Under the new regulation, industries affected by GDPR must obtain a legal basis for processing customer information. The GDPR laws can allow customers to request that their personal information be deleted by organizations that they do not want to be in possession of. Thanks to GDPR, consumers now have the right to object, restrict, and ask for information notices especially if there are any changes done on their data.
Generally, GDPR identifies personal data as anything that can be used as part of the identification for EU citizens. Besides the common data like name, addresses, and phone numbers, it also includes bank information, financial account numbers, social media data, and dossier related to personal health.
Moreover, GDPR also asks businesses to ensure that plain language should be used in explanations and privacy policies on how customer information will be used. This means that organizations should avoid using legal and technical jargon to avoid confusion among users. Other than that, companies should also fulfill these requirements under GDPR laws and guidelines:
- Total consent is needed to collect and use the data users with plain ways to opt-out of some or all data gathered.
- Customers have to provide the right to be forgotten on business networks.
- Heavy-duty safeguards should be in place for data related to race, religious beliefs, political, health, and sexual orientation.
- Users can decide to opt-out of target advertising using their personal data to avoid receiving unnecessary emails.
GDPR has also set six bases for processing personal information. These include public interests, legal interests, contracts, legitimate interests, consent, and vital interests. Dissimilar to other regulations, the implications of GDPR are seemingly more omnipresent than expected with multiple sectors that might not have expected to be specifically affected now having to reorganize their approach to the management of digital data.
Assess your GDPR compliance
Some industries will experience the brunt more than others so knowing how to properly safeguard, process, and store information is necessary. Read on to find out the industries affected by GDPR and minimize your risk by talking to an expert at RSI Security.
1. Social Media Platforms
As mentioned, GDPR now recognizes data associated with social media posts as part of personal information. This makes it harder for social media and online communities to track customer information and their behavior for systematic targeting and profiling.
Social media companies will have to acquire a legal basis in the form of explicit customer opt-ins before they can send social advertising emails. Usually, opt-ins linked to social media come in the form of a pop-up that asks for the user’s permission.
Presently, Facebook is embroiled in a data rights controversy as a result of the extensive data mining process of Cambridge Analytica during the U.S. election season. Although social media companies have been collecting personal information for years, the recent situation revealed what they might actually be doing with the said data.
GDPR will also affect social media marketers particularly in targeting options. Marketers using custom lists and email marketing must obtain explicit consent from customers to process personal information for the process of social media advertising.
2. Financial Services
Organizations across financial sectors manage substantial amounts of information on every customer and GDPR brings a unique challenge in any respect. Even though there is a tremendous risk linked with managing these tons of data, there is also a massive opportunity for businesses to build transparency and trust with customers particularly in what has traditionally been a misty financial sector.
According to PwC, the move to GDPR will provide businesses with an opportunity to transform their approach to privacy, harness the value of information, and ensure that their organization is fit for the digital economy. This is especially important counting that 53 percent of online users are getting more concerned about online privacy compared to 2017.
For organizations where the information held is so inherently personal, the topical ability to communicate with customers and inform exactly how you are using, what you are collecting, and how you are protecting data is a solid way to build a positive reputation within the industry.
Companies within this industry will also need to comply with the appropriate visibility protocols allowing consumers direct access and control to their relevant information. If a customer demands to see the information available, financial institutions and banks should be able to present the information in a safe and reliable way.
In short, that means convenient and easy-to-use tools must be deployed or established to provide customers with complete control and accessibility. Furthermore, the asset and wealth management industry will also be deeply affected by GDPR as it influences the management of information through third-party vendors and the classifications between the data processor and the data controller.
3. Online Retailers
Online retailers and businesses are expected to be hit hard by GDPR especially with regard to how consumers can request the management of their information. Under GDPR, consumers can make it clear that they don’t want their personal information used for marketing and advertising purposes and retailers must also adhere when told to forget anything they have.
In short, the entire customer profiles used for advanced metrics, proper targeting or even customization will be at risk. Recent statistics have revealed that one in three EU adults have intentions of contacting online retailers to ask that their data no longer be used for marketing purposes or to have their personal information forgotten.
This also means that online retailers may need to search for entirely new ways to collect information on targeted customers especially if they belong to a niche group where every data point is valuable. Other than that, the retail industry also tackles some roadblocks specifically with the use of CCTV cameras.
The footage in which people are recognizable are considered information under GDPR, and so the use of CCTV must be evaluated and reviewed where appropriate. In most cases, online data retailers manage extensive information like purchase history, customer contact details, and loyalty card use, which could all be used to identify individuals.
Organizations distributing marking information are also required to check if their customers have given them consent to receive it. However, adopting processes like pseudonymization may help businesses to continue using data for customer profiling purposes without breaching guidelines.
4. Healthcare and Medical
Healthcare providers have long been at the front line of digital transformation as their business involves the storing of huge amounts of personal information. A key objective of GDPR is enabling the widespread availability of data concerning the location and purpose of collected information. The emergence of predictive analytics an electronic health records indicate that incredibly sensitive data are being kept and stored online.
While the good news is that the healthcare industry is already strict with the security and management of these records, there are still concerns about compliance to GDPR because it is more demanding than the Health Insurance Portability and Accountability Act (HIPAA).
This also provides healthcare companies with a more comprehensive view of their patients, thus, helping them enhance diagnoses. On the flip side, GDPR also introduces the right to be forgotten which could conflict with the legal requirement for healthcare providers to retain following the discharge or death of a patient.
The right to be forgotten is relatively new to the healthcare industry not just in providing the proper controls and accessibility but also adhering to compliance. Further, the information can only be kept or stored for a specific length of time alongside limits for how it’s stored as well.
5. Software & Technology
The way that technology is incorporated into business indicates that considerable overhaul might be needed in terms of data management and IT infrastructure specifically for those working in software and development. With the implementation of GDPR, tech start-ups and other businesses in the sector will need to consider more heavy-duty methods of protection and data storage.
A report by Computer Weekly revealed that approximately 71 percent of tech start-ups failed to encrypt gathered data. The report further added that around 53 percent of tech businesses store customer data without correct permissions or consent from customers.
With GDPR, businesses will be required to build their systems so they are completely transparent about gathering data. After all, properly storing consumer information in password-protected folders or by encryption is vital for peace of mind when the data collected is likely to be a target of online attacks.
Aside from technology companies, cloud computing and remote services are also among the industries affected by GDPR. Although remote computing solutions and cloud providers may not be directly responsible for the information coming in, they will still need to properly prepare and update their processes to assure that compliance is met.
How to Achieve GDPR Compliance?
Achieving sustainable GDPR compliance may sound overwhelming but there are ways to make it more manageable and straightforward. The initial step toward GDPR compliance to access data sources to ensure that businesses can investigate and audit the personal information stored and used throughout your data landscape.
While this can be done by in-house personnel, it is encouraged to hire the services of a Data Protection Officer from RSI Security to further enhance the chances of being compliant. In most cases, companies and public organizations with more than 15 employees that process personal data are required to opt for the services of a DPO.
The DPO will perform automated and regular monitoring of data subjects on a massive scale. They also inspect every data source to identify what personal data can be found each. More often than not, personal information is stored in semi-structured fields which means that the DPO will need to parse those fields to extract, catalog, and classify personal data elements.
Subsequently, the DPO will establish a personal data inventory and governance model to define what personal data means and share this understanding across the organization. Privacy rules should be tested and distributed throughout all networks of business for GDPR compliance.
This GDPR’s way of ensuring that personal data can only be accessed by those with appropriate rights, based on the nature of personal data, and the rights connected with user groups and the usage context.
Once the model has been established, the Data Protection Officer will then require businesses to set up the proper level of protection for the data. GDPR compliance typically encourages three techniques in protecting data which include anonymization, pseudonymization, and encryption.
The final step in the journey to GDPR compliance involves auditing. During this phase, companies will need to produce comprehensive reports that clearly show regulators that they:
- Have the proper processes in place to supervise options such as the right to be forgotten and data breach notifications.
- Are able to prove how personal information is used, who uses it, and for what purpose.
- Are appropriately managing the process of getting consent from individuals who are involved.
- Have a comprehensive view of what personal data they have and where it is located throughout their data landscape.
Reaching full GDPR compliance takes a few weeks and dollars but the real driver for adopting these principles is expected to make the business more efficient, competitive, and secure. An audit often cleanses where appropriate, and acquire relevant permissions when it comes to contacting consumers to ensure proper data integrity. Find out how these changes provide an opportunity to improve by getting in touch with RSI Security.