New rules for data protection come into force in May 2018. The EU General Data Protection Regulation (GDPR) replaces the current Data Protection Act and applies to any organisation that does business in the EU.
The key changes include:
- a broader definition of personal data, meaning more data must be protected
- minimising the amount of personal identifiable data that's stored and ensuring it's not stored longer than necessary
- asking individuals to actively opt in to having their data stored and processed, through a consent document laid out in simple terms
- giving individuals a "right to be forgotten"
- more stringent conditions for reporting data breaches
Here are three steps you can take to help you prepare for the new regulations.
1. Review the data you hold on individuals and put in place measures to minimise the amount of personal data you store
The obvious place to start is in "formal" systems like your Customer Management System and HR applications. But you should also look at systems that support less formal interactions with customers and employees, such as email and chat logs in your contact centre.
Google has created the Data Loss Prevention API to help you automatically identify, classify and redact sensitive information across all your systems.
2. Put in place policies and procedures to handle new rights for individuals
For example, organisations in the UK must now:
- respond within 20 days to requests to see the data an organisation holds on them, down from 40 days previously
- obtain parental consent to process data relating to children
- be able to identify all the data they hold on an individual – in spreadsheets and databases created by individual employees as well as in corporate systems – in the event someone invokes their "right to be forgotten"
Again, the Google Data Loss Prevention API will help you understand what information you hold on individuals across all your systems to allow you to meet these requirements more quickly and easily.
3. Ask your IT suppliers about their plans for complying with the GDPR.
Suppliers who aren't based in Europe may claim they aren't covered by the new EU directive, but that's not true. If you do business in Europe with European customers, every part of your IT services must comply with the directive.
Google has committed to having full support for GDPR on the Google Cloud Platform by May 2018.
Companies who breach the regulations will face increased fines, as high as €20 million or 4% of global annual turnover, as well as damage to their reputations. Clearly, this is an issue no board can afford to ignore, and getting it right won't be easy.