As a useful summary, I’ve listed six important elements below, extracted from our whitepaper “Defining the data powered future”. I’ve also included some key focus areas to help your planning. Of course, it’s by no means exhaustive and we’d always recommend referring to the ICO for more detail.
1. Rights of Individuals
There has been a desire to strengthen data subject rights within the GDPR. To this end, there are a number of new data subject rights (e.g. the Right to Erasure or Right to be Forgotten) or enhanced rights (e.g. Right to be Informed). Given their importance, two major elements, the Right to be Forgotten and Right to be Informed are covered in more depth below.
Focus area: Consider how your organisation can make it easy for an individual to not only find the data you have on them but to also edit, add or remove that data. Obviously, secure access should be a priority, so look at ID Verification tools if you don’t have a consumer facing portal already.
2. Right to be Informed
Businesses need to make sure people understand who is collecting their personal data and the purposes for which data controllers are processing it.
Organisations will need to update their privacy policies to meet the requirements of the GDPR. The new principle of accountability in the GDPR means there will be much more of an onus on controller businesses to demonstrate compliance with the data protection principles within the GDPR.
Focus area: Think about how the sign-up process for your website visitors; you’ll need to clearly explain what requires their consent (as well as what doesn’t), and how you intend to use their data. Also, for external and internal auditing purposes, consider how you can demonstrate that this information has been displayed and understood by website visitors.
3. Right to Erasure (“Right to be Forgotten”)
A Right to Erasure has now been set out clearly in the GDPR. It will allow individuals the right to request that their data be erased, provided certain grounds apply (for example, the data is no longer necessary in relation to the purposes for which it was collected). When requested, businesses will have an obligation to erase the relevant personal data it holds on that individual within one month of receipt of the request.
Focus area: Locating all copies of personal data can be challenging. Think about where you may be asked to look for and erase data. Can your organisation locate all versions of an individual across your databases? What if they changed address or name? A unique pin (often known as a Single Customer View) can be a great way to smooth out the erasure process.
4. Data Protection Officer (DPO)
Businesses will be required to appoint a DPO to help them comply with all their obligations under GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance. It’s needed whether the organisation is acting as a processor or a controller where processing operations require regular or systematic monitoring of people on a large scale.
Focus area: The DPO will clearly have a number of tasks in GDPR preparation but they will need the right tools in place to monitor the on-going performance of the business. As this role needs to encompass technical, legal and business skills; think about data reporting tools that can be used by someone who may not be able to code.
5. Obligations on data processors
Under the Data Protection Act 1998 the statutory obligations only apply to data controllers. However, under the GDPR, data processors will also have obligations. For example, the processor will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities. Processors will be legally accountable for compliance beyond any contract terms, but reputable data processors will already have many measures in place to demonstrate compliance.
Focus area: Start asking your data processors about their GDPR plans. Clearly, they may not be 100% there yet but they should be able to give you a high-level overview of what they have in place today and what they are planning to improve ready for May 2018.
6. Data Protection Impact Assessment and data breach response
Businesses will need to carry out a Data Protection Impact Assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the Information Commissioners Office (ICO) in the UK) without undue delay and where feasible, within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in high risk to those rights and freedoms, the data controller will also need to communicate the breach to impacted individuals without excessive delay.
Focus area: Think about how a data breach may impact your business and data subjects. Have you got a tried and tested plan in place for this eventuality? Do you know what you would send to affected individuals? Have you got FAQs ready for your website and trained your call centre staff with the relevant messaging? A Data Breach Impact Assessment could be a worthwhile addition to your wider Data Protection Impact Assessment toolkit.
The value exchange – the consumer trust payback
A core theme of the GDPR is to keep consumer interests front of mind at all times and you’ll no doubt see this reflected in the six elements above. Whilst organisations will naturally want to comply to avoid the well-publicised fines, it’s fair to say that the transparent, secure and effective use of data has transformative potential for consumers and businesses alike. I believe this will be a significant motivating factor to get on the road to GDPR compliance.
In return we’re likely to see consumers sharing more data with the organisations they trust if they feel there is a fair exchange going on.
The GDPR is about much more than getting ready for next May – it’s forever. Now is the time to create a truly consumer-centric approach to data governance and strategy, and to secure your customer’s place at the heart of your data powered future.
If you’d like to find out more about the GDPR, our hub hosts a number of useful resources as well as information on how Experian can offer support to organisations at any stage in their preparations.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.