Data protection regulation affects your organisation too!

19-05-2016

Data protectionThe European Commission has approved the strictest data privacy regulation of anywhere in the world. This will have impact on every business and organisation active within the European Union and legal experts say it cannot be ignored. Here’s what you need to know about how it affects your organisation.

Everyone owns personal information. Whenever you open a bank account, join a social networking website or book a flight online, you hand over vital personal information such as your name, address, and credit card number. But what happens to this data? Could it fall into the wrong hands? What rights do you have regarding your personal information? According to the European Commission, everyone has the right to the protection of personal data.

Why the General Data Protection Regulation of the EU?

For a long time many have overlooked the value of personal information. But more and more companies are starting to use and share personal information, not only for gathering feedback on how their products and services are used, but also for marketing activities. Criminals see the value of personal data as well. Identity theft, phishing attacks, stolen login credentials are all examples of cybercrimes targeting personal data. And these cybercrimes are growing and expanding at a very fast rate.

To improve the transparency of data collection and processing, and to give everyone control over their own data, the European Commission (EU) has adopted a new strict regulation for data protection also known as GDPR (General Data Protection Regulation). The objective of this new set of rules is to give citizens back control over their personal data and to simplify the regulatory environment for businesses. It will give citizens more information on how their personal data is processed, presented in a clear and understandable way. Citizens will have more control over their own private information and it is hoped the new legislation will ensure clarity and legal certainty for businesses.

Customers must be able to request and receive a digital copy of their personal data in a format that is usable and have the right to transit that data to another controller without hindrance.
Article 18 – Right to Data Portability

To whom does the GDPR apply?

The GDPR will apply to the processing of personal data in the context of the activities within the EU, regardless whether the processing actually takes place in the EU. In other words, all companies established in the European Union will have to comply with the GDPR. Note that, while the GDPR is a European regulation, the regulations apply to any entity that offers goods or services to residents of the EU. The GDPR applies to personal data related to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computers IP address.*

How to comply with the GDPR

The rules come into force on May 24th, 2016 and will be enforced from May 25th, 2018, so EU member states will now have two years to pass the new regulations and protection rules. Any company that does not comply will have to pay a fine up to 20m or 4% of annual worldwide turnover. The fines apply to infringements of the basic principles for processing, including conditions for consent, data subjects rights, the conditions for lawful international data transfers, specific obligations under national laws permitted by the GDPR, and orders by data protection authorities including suspension of data flows.

While it goes beyond the scope of this article to describe how to fully comply, here are the main points of the new legislation:

  1. Companies need to create a data breach response plan that both evaluates the risk of harm to consumers and still allows for regulators to be notified within 72 hours of discovery if that risk is deemed to be great;
  2. Companies need to find a way for enabling citizens to provide clear and affirmative consent to the processing of private data by the organisation concerned, so as to give consumers more control over their private data;
  3. Citizens shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. In addition, the controller in a structured and commonly used electronic format must provide the data;
  4. Companies are required to delete data if it is no longer used for the purpose it was collected or delete data if the individual revokes consent for the company to hold the data.

The biggest challenge: obtaining consent

From our experience the hardest part of complying with the new regulation lies within enabling a customer to give, and withdraw, consent to the data processing. Though there is still discussion on the allowed methods for giving consent, we are clearly moving towards a form of electronic or digital consent. Given the nature of regulation and the use of electronic data in general, a consent solution should meet standards like non-repudiation to fulfil the requirements. Furthermore, the solution should be cross-device and cross-platform. And last but not least, it should be very secure. Combining these three factors; complying with legislation, meeting standards and ensuring security while at the same time remaining user friendly can be a tough nut to crack.

Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Article 4 of the GDPR : core definition of consent

Our solution for obtaining consentData Protection: GDPR

Our solution, called ConsentID Identity Provider?, enables business to meet GDPR compliance in the area of electronic consent. ConsentID? is able to obtain consent from users in a user friendly way on different devices like desktop, mobile phone and tablet. But perhaps its biggest value lies within the fact that it enables you to interact with your customer on a new level. While previous channels of communications always had an element of insecurity, the ConsentID channel allows for the highest level of security while maintaining, or even improving, user friendliness. It not only helps for customer engagement and retention (Know Your Customer), but also allows the user to know you. To trust you.

If you want to know how we can help your organization with EUs GDPR regulations, contact us today.
Click here for more information about ConsentID Identity Provider?.

 

* The regulation does not apply to the processing of personal data for national security activities or law enforcement (competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties).

Sources:?European Commission,?Lexology, Lexology,?SC Magazine