Here at AB, we always go that extra mile for our clients and their learning… Hence our interest in the new data protection regulations that will be coming into place in 2017.
These regulations will affect us and the way we operate massively – so it’s sure to affect most of our clients and partners, too. We all need to take these new regulations seriously due to the implications of not meeting them – sanctions, fines and penalties that could impact your business exponentially, but most importantly protecting customer data and privacy.
Now, you may have seen something about EU regulations in the headlines and thought ‘well, we’re leaving anyway. This doesn’t apply to me’. Think again. The regulations go beyond the location where the data is processed and are dependent on the location of the data you are processing. For most businesses, this could be data coming from anywhere in the world (including the EU)…
Data Protection Officers
Now that elephant in the room is out of the way, let’s talk about how the regulations will affect you. There could be a requirement for a data processing officer for some companies. If the processing is a carried out by a public authority, you may need to have a designated data protection officer (DPO). You may also need a DPO if your business/organisations core activities require ‘regular and systematic monitoring of data subjects on a large scale’. Essentially, if you handle a lot of data, this will affect you.
So, what are DPO’s? Do they need any qualifications? What will they be responsible for? Well, we’re glad you asked!
DPO’s will be responsible for managing data security, so anything that could constitute a cyber attack/data breach as well as day to day management of sensitive customer info. Any issues that deal with the holding/processing of data will fall in their lap, essentially. Whilst there are no official qualifications/legislation a potential DPO must meet, it’s recommended they be designated based on expert knowledge of data protection as well as practices relating to this.
There are various industry recognised qualifications that a potential DPO could have, such as the certified information privacy professional designation granted by the International Association of Privacy Professionals.
However, DPO’s don’t actually officially need to be an employee. They could just work in an advisory sense as a third party consultant. An existing employee could take on the responsibilities of a DPO too. However, it begs the question of workload management, resource allocation and how this will be affected.
Who will be affected?
Organisations of all shapes and sizes will be affected, with the severity of the impact to be determined by the amount of data that certain businesses process. If you are a person/business/organisation that controls personal data, you will need to be compliant. However, the size of your business and the amount of data each business controls will affect how smoothly the transition to be compliant for each business is. You may actually begin processing more data as part of the legislation, too.
This is because according to the GDPR the definition of personal data is changing. ‘Personal data’ is now a much broader term which includes identifiers such as genetic, mental, cultural, economic and social identity. In order to make sure you are ready for this, you must realise that all loss of data must be reported to the ICO or a related appropriate body within 72 hours. However, organisations don’t have to register with the ICO from 2018, just report data loss within 72 hours. Failure to do so will warrant a severe financial penalty and count as a criminal offence. Personal data can only be kept for as long as it requires, too. Any data that is kept unlawfully past the user’s request is unlawful so processes will need to be put in place for this.
The right to be deleted…
Following on from keeping data only for as long as it needs to be kept, similar processes need to recognise another important factor, which are the new erasure rights that will come in place. Everyone now has ‘the right to be deleted’, so to speak. It sounds simple, because all you have to do is delete it – wrong. The difficulty comes with your capability to sync all data together. Do you have the correct processes in order to process lots of different data at once? As well as this, your systems must be slick enough to allow data subjects to be added and deleted seamlessly. To put it simply, more data equals more processes and more systems. In order to avoid further complications, businesses must now inform users or their rights and remind them of their rights. This is now a standard requirement for all businesses and is something that needs to be introduced sooner rather than later.
So, what does it mean?
It’s a lot to take in. Data is a huge part of marketing campaigns and a tool that we as marketers use to ensure our messages appear at the right place, at the right time in front of the right people. Without that, what we do is basically just screaming into an open space. The days of opt-out in are now gone, and replaced with opt-in. Implied consent is something that will be left in 2016, and any data that a business processes will have to be watertight in the terms that it must be clearly outlined what data will be used as this changes the way businesses will ask for data.
To put this clearly; an affirmative response must be received from the data subject. If the data subject is under 16, you will need the parents permission. A DPO could be needed, but the first thing I would recommend is perhaps an internal audit to see what criteria you are meeting, as well as what criteria you aren’t. From here, you can begin to form a plan as to what you need to do to make sure you aren’t lagging when the regulations come into play. It’s worth noting what we know so far about the financial penalties you could face. Either €20m, or 4% of your annual turnover (whichever is higher). It just goes to show the importance of knowing as much as you possibly can about these new regulations and making sure you don’t get caught cold.