May 24 of 2018 is the date when General Data Protection Regulation enter into force. Sounds like current bureaucracy stuff, but wait – this is a regulation, not just a directive. The terms regulation and directive are often used interchangeably, but they are very different. A directive is implemented and enforced by individual countries but this regulations become law and will be implemented in all 28 EU countries.
OK, what will change? What needs to be addressed seriously?
Users will be able make compensation claims.
This regulation will allow users to claim damages in the instance of data loss as a result of unlawful processing, including collective redress, the equivalent of a US-style class action lawsuit. Senior management will need a good understanding of what kind of impact this would have on their business. Not only can legal damages be incredibly costly from a financial perspective, they also represent further reputational damage as cases can carry on for years and keep the story in the public eye throughout this time.
Data processors will be held responsible for data protection.
Under the new regulations, however, any company or individual that processes this data will also be held responsible for its protection, including third parties such as cloud providers. Put simply, anyone who touches or has access to your data, wherever they are based, is responsible in the case of a data breach. Anyone! Third parties will need to be extra Argus-eyed when it comes to securing the data of others, and data owners will want to thoroughly vet their partners.
With the new regulations in mind, organisations should think about reviewing their third party contracts now. In the case of cloud providers seriously consider having, as part of your contract, the ability to carefully review their procedures and even facilities to make sure they are up to scratch.
The regulation has global ramifications.
The new regulation affects every global organisation that may have data on EU citizens and residents. Reputational damage is also a key element of a data breach and the new regulation is likely to harmonise ‘naming and shaming’ policies across each country.
Also, cloud service providers, especially those based outside the EU, may not believe that the regulations apply to them, it is clear that they will.
Tighter rules on transferring data on EU citizens outside the EU.
Even if sharing is allowed, currently prohibits personal data from being transferred outside the European Economic Area unless the controller assures an adequate level of privacy protection.
Rights to be erased.
Users can also demand that their data be erased. This may sound straightforward but it’s not always that simple. If a person said they wanted to be removed from one of your databases, how would you go about doing so? Would you have to remove data from multiple systems? Are syncing protocols in place that would make doing so difficult? Do you have processes now for this and how would you remove contact information from individual databases or spreadsheets? These are questions that need answering now, not after the regulation comes into play.
Responsibility to inform users of their rights.
Under the new regulations, controllers must inform and remind users of their rights, as well as documenting the fact that they have reminded them of their rights. In addition, users should not have to opt-out of their data being used, they must opt-in to your systems. This is more stringent than the current directive and companies that fall foul of these measures will face larger fines.
Tougher sanctions and incident reporting.
In case there was any doubt about how serious the regulators are taking the data breach issue, sanctions have been made much, much tougher. Fines may be as high as €100m or 5 percent of global revenue (whichever is higher).
Also, the regulation is intended to streamline the process, most likely so that regulators must be informed in 72 hours – unless, as per the ‘reasonable expectations’ requirement (explained shortly), data was encrypted or tokenised.
What it means for your business, loyalty program?
At Sendigo we work close with clients to revise and adjust personal data flow, update technical requirements to make sure process work like a clock. We believe this is the ideal time for IT, security, and compliance teams to review the new requirements, seek legal guidance and put into place processes that will enable compliance. On May 2018 it can be too late.