Security

Preparing for the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) becomes fully effective tomorrow. The time is finally upon us. If that makes you nervous, relax, we’ve got your back. I’m sure you’ve been thinking a lot about these regulations recently, doing whatever you can to prepare. So have we. Our team is very familiar with the legislation. We have been working tirelessly to ensure that all our services are in compliance. Any third parties have been thoroughly vetted, and our security experts are prepared to review your situation. Here is a quick overview of the important points of the GDPR and how our services fit in.

General Data Protection Regulation

The GDPR is a new set of regulations by the European Union (EU) that will come into effect on May 25th.  Personal data is spreading at an unprecedented rate today. With the GDPR, the EU plans to get in front of the information sprawl to protect personal privacy. The new legislation will unify the practices and penalties of member states. This means both businesses and individuals know what to expect regarding privacy laws no matter where they are interacting.

All EU citizens will be under its protection. If you are not actively doing business in the EU you may wonder why you need to do anything about this.  The answer is simple, if you have any EU residents interacting with your business, regardless of your location, then these regulations apply to you.

Key Changes

American legislation historically supports business first, but the EU has a long history of prioritizing individuals.  This new bill takes that to a new level with a range of requirements designed to make put the individual in control of their own data.

Improved Consent – One of the main tenants of the bill is informed consent. Long, complicated Terms of Use packed with legalese are hard to understand. The EU wants to strip that away and make sure customers can understand what they are agreeing to. Going forward, businesses will be required to provide clear and plain language to its customers outlining what type of data will be collected, where it will be stored, and what purpose it will serve.  They will need to receive active consent before any data collection can occur.

The second part of this is revoked consent. If a client no longer wants their data collected, that is their right.  It should be as easy to revoke consent as it is to give it in the first place.

Access and Erasure – Individuals will have access to retrieve their data at any time.  At their request, businesses will need to provide an electronic copy of any personal data they have.  Businesses will also be required to erase that data upon request.

‘Privacy by Design’ – Privacy and security should be built into the structure of the organization from the get go, and not shoehorned in as an afterthought. Security practices must be built into the structure of the company, both technologically and organizationally.  This may mean adjusting the structure of your company or your data warehouse. Look at your existing structure to see where changes should be made. Think about hiring a consultant to examine your security protocols.

Data Protection Officer (DPO) – The GDPR requires certain businesses to create a new role in the Data Protection Officer. This person will be responsible for managing the company’s security protocols, keeping up to date on industry best practices, and recording, monitoring and reporting data security issues. Not everyone needs to hire a DPO. If you are a public authority, or if you engage in “large scale systematic monitoring,” or handle certain sensitive materials, you may need to work a DPO into your structure.

Timely Reporting – If a breach occurs you will be required to notify the applicable DPA within 72 hours of realizing the breach. Customers will need to be notified “without undue delay.”

New Hefty Penalties – A company found in breach of these regulations can be fined up to 4% of annual revenue or €20 Million, whichever is greater. This is a huge amount that could have crippling effects. Clearly, the EU is taking this very seriously.

Lead Liason: Automated Marketing

As part of the GDPR, it has become increasingly important to thoroughly screen 3rd party service providers. At Dobler Consulting we have done a comprehensive review of our partners to make sure their services are secure and compliant. We are very selective when it comes to ensuring we provide our clients with only the best providers. To that end, we have recently partnered with Lead Liason, an automated marketing service that has demonstrated excellent readiness for the GDPR. Their lead tracking solution helps you manage your visitors’ data in one simple place. It provides customizable settings for data masking and customer opt-out, including Do Not Email, Do Not Call, Do Not Track, Do Not Personalize, and more. There are additional options to mask the IP address and location, and to block tracking and cookies for anonymous users. To help facilitate your recordkeeping, they have included a section to add your lawful basis for processing, as well as a comprehensive consent log. Additionally, there is an easy to change privacy widget so your visitors have full control over what settings are allowed. Whether you’re just beginning your process implementation or you’re already fully compliant, this level of consolidated resource management could save you time and frustration.

At Dobler Consulting our security experts are here to help.  For more information about the GDPR and increasing your data security, give us a call  at +1 (813) 322-3240 (US) /+1 (416) 646-0651 (Canada), or email us (info@doblerllc.com).

 

 

Sources:

http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

https://www.eugdpr.org/eugdpr.org.html