The European Union has this week released new guidance on how companies operating in Europe should protect their customers’ data. In less than two years, all businesses that work with European customers will have to comply with this General Data Protection Regulation.
The biggest change in data protection laws in 20 years will go into effect in 2018. Today, the EU Parliament officially adopted the General Data Protection Regulation (GDPR), paving the way for a new age of data protection for consumers and tighter regulations for businesses. Organisations, including U.S. multinationals that handle EU personal information, will soon be required to comply with tougher rules to prove they’re actively protecting personal data. The European Union has been working on this data protection requirement for years. In December 2015, the working group involved published a new framework for data protection and security of customer information. The General Data Protection Regulation, or GDPR, applies to all companies doing business with customers in Europe.
As background, all companies deal with customer data as part of transacting the buying and selling goods and services. For companies that sell to customers more than once, this means holding on to their data such as credit card numbers, addresses and other sensitive information. As customer records have moved to digital records rather than old-fashioned paper systems, new guidance is required on how this data is stored and managed over time. Without this update to regulations, the guidance on how data should be protected would either be out of date or not cover all the potential use cases that now exist for customer data.
By putting one overall framework in place, companies will only have to consider one approach to data security, rather than dealing with multiple data protection set-ups for customers in different countries. For customers, the regulations will provide greater control and transparency over their data.
For all companies that do business in Europe, GDPR will come into force in early 2018, giving their IT teams two years to prepare.
There are five main points to consider:
- Data protection should be included by design within all customer data management implementations
- Every consumer will have easier access to any data saved about them
- Every consumer will have the right to know if and when data on or about them has been hacked
- Every consumer will have the “right to be forgotten,” where data can and should be deleted once it is no longer necessary
- Not meeting these areas can carry a financial penalty of up four per cent of global turnover, which includes all cash revenue that a company generates during a year
Adherence to these points will be monitored and enforced by the Data Protection Authority (DPA) in each country; in the UK, this will remain as the Information Commissioner’s Office. For companies with operations in more than one country, one DPA will take the lead role and be responsible for all data protection activities applying to that company.
There are also plans for companies meeting specific criteria to require a data protection officer (DPO) be appointed. The criteria for this are still being debated, but measures like company size based on the number of employees are currently being suggested. The DPO would be responsible for ensuring that all rules on data protection are followed, in the same way that a health and safety officer oversees the security of people within the company against risk in the physical world.
For company IT teams at businesses that sell in Europe, there are several things that they can begin doing now in order to protect their business operations against risk. Planning ahead now can make it easier to implement processes and technologies that protect company data, as well as ensuring compliance around the security and storage of customer data.
Here are 4 steps to take to get ahead of the new laws for all companies doing business with customers in Europe.
- Put data protection safeguards in place – this means ensuring that all customer data sets are secured and encrypted, as well as tracking who is allowed to use or create new copies of customer data records.
Data on company IT assets should be collected and copied to provide a backup – making use of public Cloud services can help reduce unnecessary redundancy and use of multiple services, ensuring that the cost of protecting data for DR and compliance is reduced over time.
- Get control over all data – GDPR will mean that companies will have to make any stored information available to customers or users in a format that is clear and understandable. If a customer wants to move to another company, then the data around them should be in a portable format too.
Bearing this in mind now will make it easier for company IT teams to support this portability of data from a technical perspective, even if the business operations team may want to retain customers as much as possible. Marketing and use of customer data are areas where there are the most potential for slips here. Tracking the use of personally identifiable information (PII) and spotting where new copies of customer data are created can help reduce this risk considerably, even if these files are getting creating on individual laptops or mobile devices.
- Prepare for the worst – IT security issues continue to plague companies of all sizes. From being an area where companies could prepare well and prevent issues, the sheer complexity of IT today means that many companies are focusing on when they get hacked, not if.
Securing data with encryption is one step; however, companies also have to put plans in place for communication around a data breach event, as well as looking to minimise the risk that is involved through smarter management of data sets in the first place. Even if a data breach does take place, customers should not be affected.
- Get ready to delete data – Customer data can and should be deleted by companies when they are requested to do so. At the same time, companies may also need to hold on to customer data for archiving, so there is a fine line to follow between data protection requirements around deleting customer data and retaining information for disaster recovery or archival.
Getting a good policy in place for how and when data should be deleted is therefore going to be essential. This can be used to justify the work and budget involved in managing deletion of customer data where it might be required, as well as where data may be needed for archiving and therefore will be kept.
For all businesses that work with European customers, regardless of size or location, GDPR will force a rethink around how data is created and captured across the organisation. The overall aim is to make data protection and security easier for customers, while companies will have to take a more nuanced approach to customer data storage over time. For companies that want to simplify their approach to data security, converged data protection can help.
Learn how to plan your requirements around GDPR ahead of the deadline for delivering better data protection for your customers with this 5-step guide.