Many companies are looking at GDPR as a tick box exercise and there is much talk about the large fines that could be imposed, but are we all missing the point?
Vanessa Cozens, CEO of The GDPR Clinic
Since the 1995 directive much has changed in our world and the pace at which new technology is introduced is moving at great speed and our personal data is used in ways that we couldn’t have even imagined in 1995.
The real purpose of GDPR is to harmonize the way personal data is used across the EU Region and indeed around the world. The principles of the original directive are still there but the scope of the new regulation has been enhanced to provide the data subject with more rights to enable then to choose how their personal data is processed.
The enhanced data subject rights are as follows-
This will become a mandatory requirement and must be reported within 72 hours of the company becoming aware of the breach. If the breach is deemed as “likely to result in a risk for the rights and freedoms of individuals” then the processor must inform the controller and customer of the breach without undue delay.
Rights to access
Companies will need to be more transparent about the data they hold. At the request of a data subject they must supply details of the personal data held, where it is held and for what purpose the data is being processed. The information should be provided in an easily understood electronic format within 30 days and must be supplied free of charge.
The right to be forgotten entitles the data subject to request that their data is erased and that no further processing takes place. Article 17 outlines the conditions for erasure and also covers the «the public interest in the availability of the data» that controllers should also consider before the request is actioned.
This is the right for a data subject to receive the personal data concerning them to be transmitted to another controller.
Many companies will see the GDPR as a threat to their business due to the large amount of work required to become compliant and the potentially crippling fines that may be imposed should they fall victim to a breach.
There are however many opportunities to be found with GDPR compliance. Many companies hold vast amounts of data and have no data destruction policy in place so this is an opportunity to clear out old unused data and potentially free up some space on their servers, it’s an opportunity to review their policies for data storage and purposes for collecting the data and implement more streamlined policies and processes to make their business run more effectively and let’s not forget the customer, the person that makes your business possible.
You have the opportunity to give them more freedom to choose how you use their personal data, show them that as a business you care about their rights and in turn improve your reputation as a company that puts their customer first.
In a fast paced landscape where new technology is moving at lightning speed and data is king lets return to some old fashioned values and put our customers first, give them back their freedom to choose how we process their personal data.
Our customers are also an ever evolving group of people who are changing at a similar pace and want to see an end to the betrayal of companies that misuse their data, they now understand the value of their personal data and how the loss of such data can impact them. With their enhanced rights under GDPR they will soon learn and understand their new legal rights and this will empower them to act and ensure their data is used in a clear and transparent manner.
The ICO has also made their intent clear that they will enforce the GDPR and will use the customers rights as a means to impose its new legal powers, so let’s give the power back to the consumer and make sure we are using their data for the purposes it was originally collected and give them a clear and concise means to consent to it use. This will ensure we do not fall prey to a potential fines and will also improve your reputation for being a company that has grasped the essence of the GDPR and is giving its consumers the power to decide how their data is processed.