May 2018 will see the introduction of the General Data Protection Regulation (GDPR). The law covers organisations that employ over 250 people, and that either service EU citizens, or who store people’s data within the EU.
GDPR will revolutionise our rights to access, manage and control our data. Organisations will need to get explicit permission to use our data for a specific purpose.
Any misuse of our personal data and the regulators can levy fines reaching to 4% of an organisations global annual turnover.
Research by the International Data Corporation (IDC) revealed that 52% of respondents weren’t clear on how the GDPRs would affect them. A quarter had no knowledge of GDPR. Of those who did know of its existence, just 20% believed that they were already compliant (21% weren’t even working on becoming compliant – and this study was published in February).
Getting real about personal data
If you have no knowledge about GDPR, what you won’t know is that the definition of what constitutes personal data is changing. It’s no longer the traditional name, address and phone number. It’s not just our income bracket, or what type of home we live in.
The definition of personal data is shifting to fit our use of technology and the data organisation can take from it. From May, ‘personal data’ will include any data that describes our location – such as our computer’s IP address. It will include tracking data gathered by the websites we visit – the cookies that tell site owners how we journey through their websites.
The introduction of pseudonymisation
The last few years has seen a boom in both big and targeted data collection and analysis as organisations attempt to build clear pictures of the individuals they do business with. The new regulations don’t apply to the collection of data that:
“does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.”
As long as personal data undergoes this process of pseudonymisation (and the time and cost of linking anonymised data to its separately stored identifying data is prohibitive, therefore making it harder to abuse) organisations are still able to collect, store and use anonymised data sets.
But, what does this mean for organisations?
Anyone who collects, manages and uses personal data for an organisation must educate themselves about GDPR and what it means for their organisation. They must ask:
- How does the organisation currently collect, store and use data?
- Does the organisation just use anonymised big data sets – or do they keep identifiable personal data as well? (For example, Google Analytics is anonymous data, but is behavioural targeting?)
- How is access to the data managed? What sort of permissions do people have? Can they copy data to a USB stick and take it home?
- How is data currently shared?
Many organisations use a variety of free and paid-for platforms and apps to collect, share and manage data. If a customer gets in touch with a complaint on Facebook or WhatsApp, and they provide their phone number and other identifying details, what happens
to that data?
How can the organisation ensure that its not used for other purposes, or that the customer didn’t request their data was deleted? How can organisations regulate how data is shared on employee owned devices?
How organisations can ensure compliance
With potential fines running into the millions, it’ll be vital for organisations to ensure compliance with the new regulations. One way to do this is to unify the data management process.
Rather than use a cobbled-together suite of apps and tools, organisations can pick one secure app or platform that hosts data. Access permissions could be granted and restricted at will, granting the organisation full control over how the data is distributed
This method provides a comprehensive analytics trail. The organisation can see who accessed it, what they did and what permissions the individual gave over the use of their data. This tracking data can then be stored securely ready for any audit or to be
used as evidence during a legal action.
The GDPRs may seem like a complex set of rules, but what organisations really need to take away is this – individuals now have greater rights to access, edit and delete their personal data and organisations must have the process in place to comply with this