The new General Data Protection Regulation (GDPR) replaces the Data Protection Directive 94/46/EC and which is designed to harmonize data privacy laws to protect and empower all EU citizen’s data privacy to reshape the way that organisations across the region approach data privacy.
The GDPR threatens significant fines and penalties for non-compliant data controllers and processors. It will mean an increase in the maximum fine the Information Commissioner’s Office (ICO) can impose upon companies who have not adequately protected themselves against data theft from £500,000 to £17 million (or 4%of turnover).
Needless to say, changes to the governance of data will have far-reaching consequences for your business.
The GDPR applies to ‘controllers’ and ‘processors’ of data.
Controllers are the ones who state how and why personal data is processed, but processors are the ones who actually process the data. The controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU citizens.
Please note that the GDPR EU regulation will apply to businesses who operate and deal with data in the UK as long as we are part of the EU, and you can fall foul to penalties if you aren’t compliant while we are part of the European Union.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
The Secretary of State for Department for Culture, Media & Sport (DCMS) has confirmed that GDPR will apply in the UK from May 2018. The UK will still be part of the EU at this time and will need to be recognised as a safe data haven in order to continue trading with EU members.
In line with the new directive, privacy policies will need to be more detailed but written in plain language. Teams will need to work with legal reps to review and rephrase these documents to ensure greater transparency.
Any personal data that is stored or used within your business will be subject to the regulation, and it is paramount that you are able to show exactly where and when data was obtained and that the subject agreed.
It is also vital under this new regulation to prove the methods you are taking to ensure this data is secure, any leaks could see your business facing costly fines – and a damaged reputation.
Organisations will need to confirm they are the owner of an opted-in email address. GDPR also recognizes that permission is not indefinite and data would have to stop being used after a period of inactivity. Clearly this will impact on the usage of email addresses that are included in CRM marketing lists.
Data Subjects are given substantial rights on including the right to be forgotten. Anyone that has experience with systems know that if there is one thing that a was design to is to avoid someone to be forgotten. The nature of a system is the opposite – register and track everything.
For instance, in , inactive a record (as an alternative to delete it) is the recommended action to ensuring the integrity of the audit trail associated with that record, going forward, records will need to be deleted.
Given the ramifications of this directive, organisations are urged to begin reviewing privacy and data management practices now.
Our solution, Dynamics Security Management for AX2012, can help you to get started on your journey to compliance. If you’d like to find out more about Dynamics Security Management for AX2012 and how it can help your business, you can download our factsheet here, or you can watch our recorded webinar here which gives you a demo of the solution and shares a customer case study.