Data security for GDPR

Are you ready for the new GDPR rules?

The new General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. It’s an EU framework which governs how personal data is stored and handled and so has far-reaching implications for businesses about how customer information is collected and managed.

What is GDPR?

GDPR replaces the current Data Protection Act and aims to improve the security of personal data. It is built on the principle of ‘privacy by design and by default’ which means that organisations must consider the impact that processing personal data can have on an individual’s privacy. Among other rights, your customers will have the ‘right to be forgotten’.

You can find out more on at the Information Commissioner’s Office website, but in summary GDPR means your customers have:

  • the right to be informed – covering the transparency of how you use personal data
  • the right of access – customers will need to have access to the personal data you hold about them
  • the right to rectification – people can have personal data rectified if it is inaccurate or incomplete. If you have passed information to third parties you will need to inform them of the need to rectify
  • the right to erasure – also known as the right to be forgotten, this enables an individual to request the removal of personal data where there is no compelling reason for its continued processing
  • the right to restrict processing – an individual will have the right to restrict the processing of personal data which would mean you could store it but not further process it
  • the right to data portability – this allows individuals to obtain and reuse their personal data for their own purposes across different services
  • the right to object – individuals can object to data handling issues such as direct marketing and the processing of data for purposes of research and statistics.

There are also rights related to automated decision making and profiling – this is about the protection of individuals against a potentially damaging decision taken without human intervention (ie. automated opt-in to email marketing).

What does it mean to your business?

Businesses of all shapes and sizes need to take a detailed look at how they manage, use and store customer data. In a world where we use cloud computing and smartphones, and work from various locations, this is likely to be complicated.

You’ll need to know exactly what personal data you hold and where it is located. It will be necessary for you to have a procedure in place to ensure the complete removal of this data upon request.

As well as looking at the security of your IT infrastructure, it’s important to look at the systems and processes you have for collecting, storing, accessing and managing customer data. You’ll also need to consider how you can mitigate accidental, malicious and criminal data security risks.

What are the implications for marketing?

From a marketing point of view, the main issue is one of ‘consent’. You will need to ensure customers proactively opt in to marketing contact, whether that’s via email, post, SMS or other channel. It isn’t sufficient to ask a customer to untick a box if they want to opt out, they have to undertake the step to opt in themselves.

You will need to review how you gather information about customers and consent for marketing and email marketing purposes and ensure that every aspect is compliant.

Managing compliance with GDPR

Every business is different but broadly speaking preparation for GDPR will entail:

  • An audit to ensure you understand how data moves around your business and to identify any potential security risks.
  • Steps to protect that personal data to comply with all aspects of the legislation.
  • A monitoring process to ensure you can continually review data security to remain compliant.

Further reading: BT has produced an excellent guide to GDPR.