Is your customer data an accident waiting to happen?
Changes to data protection in the form of the General Data Protection Regulation (GDPR) come into force in Europe in May 2018. Paul Howard, Director of Infuse Technology, explains that businesses all over the world are going to need to take note of the compliance requirements if they are selling to European customers.
First of all, it’s important to point out that the spirit of the GDPR focuses on protecting the individual, not applying controls onto companies in the way that many other regulations do. Secondly, there are opportunities for smart businesses that comply quickly, while those that ignore it, will face serious challenges and penalties.
For those businesses outside of Europe or the UK, GDPR still protects the rights of the individual even if the company managing the data is non-European. To put this into perspective, imagine an American airline selling flights to people in the UK. The airline must ensure it complies with the GDPR, even though it is solely based in the U.S.
Rights contained in the GDPR framework
Seven individual rights are contained within the GDPR framework. It includes the right:
- To be informed
- Of access
- To restrict processing
- To data portability
- To object.
"To fulfil these rights as data controllers, companies should be looking at the way they are currently storing and accessing data. For many years, companies have been guilty of keeping data for longer than is necessary - GDPR is a good excuse to finally clean up that data footprint!"
Paul Howard, Director, Infuse Technology (technology consulting arm of Smith Cooper Ltd)
Investigate internally and up and down the supply chain
While it’s true that the quantity of data held within a business adds flexibility and a finesse to business processes, it also brings complex challenges across the business in terms of accuracy, security, care of the data held and its proper protection.
Organisations need to investigate their current systems and suppliers to ensure they have the tools necessary to be compliant; if someone requests the right to be forgotten and the data is held in paper form as well as digital, the company will have double the job to complete.
While this may seem arduous, moving all systems into the digital age will make the processes of storing data, removing data and monitoring retention much easier.
Ensuring data is current and accurate is also important when it comes to the GDPR right to data portability whereby data subjects can request a copy of the personal data held on them, for free. Organisations should ensure they have enough information on the data subject to be able to verify their identity when they ask for a copy of their data otherwise the business will be opening itself up to a data breach.
How GDPR can help an organisation
It will help organisations to:
- Clean up their rotten data
- Easily receive data regarding a data subject
- Force accuracy of the organisation’s customer data.
What organisations need to do
- Create an asset register of data silos
- Look at client portals to easily share data with customers, ensuring their right to be informed
- Ensure data security is up to date and sufficient.
GDPR is a threat and an opportunity and with the ICO (Information Commissioner’s Office) in the UK being funded by fines from GDPR, those in the professional services sector should take note as they could be at the top of the list when it comes to being targeted.
For advice on GDPR
Contact Paul Howard at Infuse Technology, the technology consulting arm of Smith Cooper Ltd.