The 25th of May is fast approaching, meaning your businesses has a little over two months until the European Union’s (EU) new data privacy law, General Data Protection Regulation (GDPR), comes into force.
By now, your business should have, or at least be working on, a plan of how they are going to comply with GDPR. If your business is not at this stage yet, it is of utmost importance that you begin the conversation about how your organisation is going to meet the requirements as soon as possible.
The consequences of not meeting the new regulations are severe, with a fine of up to 4% of your businesses' annual global turnover or €20 million, whichever is greater. Businesses should also be aware that Brexit will not save them from having to comply with the requirements, as the UK government has already committed to introducing GDPR into UK law when the Brexit process is formally completed. Businesses with customers from EU regions would have had to comply with GDPR anyway, regardless of whether it was introduced into UK law.
In short, GDPR gives the following rights to individuals over their personal data:
- The right to be informed
- The right of access
- The right of rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
[Information available from Information Commissioners Office (ICO)]
Unsurprisingly, given the key objective of GDPR, the new regulations place more restrictions on B2C businesses than their B2B counterparts, with them unable to use an individual’s data unless they can prove they had clear consent from them in the past, and they explained to them exactly what their data was going to be used for. For organisations with a long-standing database, they may find the task of documenting their past consent procedures challenging.
B2B businesses on the other hand are able to continue using data for individuals as long they ensure it is simple for them to unsubscribe and they understand what is the purpose for their data being used.
For large businesses, the issue of data management is covered in parts by their ERP system, which along with their CRM system, holds huge amounts of personal customer data, a term that will be expanded under GDPR to include information such as IP addresses, user ID’s and location data.
A lot of the rights outlined by the ICO can be met by simply adopting a default culture of responsible data management within your business, a culture that relies on those tasked with processing and managing data always referring to best practice procedures. Sizeable businesses may find they would benefit from hiring a Data Protection Officer, whose sole role it would be to ensure data compliance. The cost of hiring this member of staff would be far less than the potential fine for non-compliance.
The right that poses most problems for businesses, particularly in relation to their ERP system, is the one that stipulates that individuals have the right to be forgotten. Regardless of whether the information is stored in a large enterprise management system, or an office filing cabinet, businesses must be able to prove that every record of an individual’s data has been completely wiped. A tricky process and one that some businesses may not be fully confident of completing with 100% certainty.
Locating and erasing personal data within an ERP system may not be as straightforward as many businesses would like to imagine it is, with the likelihood being that personal data will be stored in a whole host of different tables and areas, meaning the process of finding the data is likely to prove time-consuming to say the least.
With GDPR though, time is of the essence when it comes to locating an individual’s personal data. This is because GDPR now gives business only a month from an individual's request date to present them with their data, a decrease in 10 days from the current allotted time-frame. Those businesses that have had substantial customisation work done on their ERP system may find the new timescale challenging. Businesses may find it beneficial to run a test in the months leading up to GDPR of how quickly they can locate an individual’s data from within their ERP software. At the very least, businesses should draw up a plan of how they intend to go about the process.