GDPR: GET IN CONTROL OF YOUR DATA
Protection of privacy and personal data has dominated the media in the last few weeks. The Facebook and Cambridge Analytica scandal, where the consulting firm is accused of harvesting the data of 50 million Facebook users without permission, and failing to delete it when told to, has raised various questions about how data is being used and shared. Is Wetherspoon’s tactic of shutting down all 900 of their pub’s Facebook, Instagram and Twitter profiles what we should be considering, or is it a step too far?
Data is now extremely valuable and is arguably a new form of currency. For example, Uber doesn’t own any vehicles, yet is the world’s largest taxi company and Airbnb owns no real estate, but is the world’s largest accommodation provider – they both rely on a huge data network. This poses questions for data ethics and what is perceived as more important; reputation or regulation?
The General Data Protection Regulation (GDPR) was proposed by the European Commission in an attempt to strengthen and unify data protection for all individuals within the EU. After four years of preparation and discussion, the regulation is coming into implementation on 25th May this year, by which time all organisations holding consumer data should be GDPR compliant.
After attending a recent GDPR Summit Series Conference, we have devised these top tips to help our partners become GDPR compliant:
Knowing where customer data is stored is the first step - is it accurate, is it true and has it been copied or stored in more than one place? If there is a lack of awareness around where data is kept, a breach in GDPR will have occurred leading to a large fine.
It is important to understand how data is being used across different parts of the business, as well as with external parties. Capturing and recording all the ways in which that data gets used will enable you to keep an eye on this.
Trust is the number one incentive that makes customers happy to share data, and companies who are transparent and communicate with customers how data is stored and being used are substantially more reliable.
Using legitimate interest is the most flexible lawful basis, however by replying on this you are taking on more responsibility. The interests for storing and using data must have necessary, clear and specific benefits and outcomes.
The Information Commissioner’s Office (ICO) have devised a three-part test to outline the expectations around using legitimate interest as a basis for processing personal information:
• Purpose test – is there a legitimate interest behind the processing?
• Necessity test – is the processing necessary to achieving that purpose?
• Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
Proving accountability and implementing measures will help to demonstrate that your business complies with GDPR. Maintaining documentation, employing a data protection officer and carrying out data protection impact assessments are all processes to achieving this.
Ultimately this new regulation should be seen as an opportunity not a challenge. A chance for business to gain wider trust from new and existing customers and to increase brand loyalty.
For more information do not hesitate to contact us – we are on hand to support our clients and partners navigate the GDPR landscape.