We're GDPR compliant, are you?
Isobel Bond | May 25th, 2018 | 3 min read
Consumers and businesses are increasingly savvy about how companies handle their data. With the advent of 'Big Data' and targeted, personalised direct-marketing, clients are growingly concerned about what business know about them, how they are using that information and, after some high-profile breaches, the safety of their data.
General Data Protection Regulation (GDPR) brings new data security requirements for businesses that apply from today, the 24th of May 2018. Despite being EU regulations, the UK still comes under the new rules and will continue to do so, notwithstanding the current Brexit position.
The area covered by these rules relates to any business who processes data of a resident of the EU, irrespective of whether any payment is made for the service provided. Applicable non-EU companies should have appointed a representative in the EU. Cloud services are not exempt from the new regulations.
Fines for companies breaching the rules are very hefty and can be up to 4% of annual global turnover (AGT) or €20 million (whichever is higher). There is a reduced penalty rate of up to 2% of AGT for not keeping records in order, failure to notify a breach or conduct an impact assessment. These sanctions put pressure on businesses to ensure that the systems they use to deal with client data are secure.
It is now no longer possible to hide the request for consent for data use in some waffling small print. The application must be clear, in plain-English, and just as easy to withdraw as to sign up. The purpose of the data must be transparent, and the consent must be distinct from any other matters.
Data breaches must be stated to the relevant bodies within 72 hours of becoming aware of the incident if the violation results in risk to the rights and freedoms of the individuals, whose data is concerned. Also, companies who process data must inform their clients without undue delay. These new regulations make it vital that you deal with companies who will look after your data and comply with these policies.
Clients have the right to request all the information that you hold on them, details of where it is being processed and for what purpose. An electronic copy of this data should be provided free of charge (although some exemptions for costs do exist). It is important to check that your current system provider can export this information without excessive administration resources on your behalf.
The regulations also specify that companies should only hold data for the purpose that has been agreed by the client and the completion of works, also data access should be limited on a need-to-know basis. Therefore, your data management system should have separation of duties and data minimisation features to fulfil these obligations.
Clients have the right to be forgotten, with some exemptions. So, if their data is no longer required under the original use that consent was given, your data management system must be able to erase their information. Clients also have the right to request their data to be rectified within a definite period of a month, with extensions of 2 months in complex cases.
Overall, there are significant responsibilities on companies to ensure that they satisfy with these data security measures.
SwiftCase is a workflow management system, that can streamline your business processes and data capture while ensuring GDPR compliance.