For any company or public sector entity who has placed a major focus on ‘Big Data’ in the last 5-10 years, the finalised changes to the GDPR (General Data Protection Regulation) will have a significant impact on how their data is processed, stored and managed from May 2018.
The changes to the regulation add increased accountability for companies to ensure that their data and associated systems are secure. Each member state within the EU will need to establish a Supervisory Authority (SA) (e.g. the ICO in the UK), with all SA’s working closely together.
However attention post-Brexiters: changing regulation will also apply to businesses operating within the EU and also to organisations outside the EU who process the data of EU residents.
GDPR: Three Certainties From May 2018
- Data breaches will continue to occur
- Fines will be paid of up to 4% of Global turnover or 20 million Euros (whichever the greater)
- The majority of companies will not be ready
“Big Data” has become a valuable tool for business in terms of providing significant insight into their customers and the wider online landscape. However, the focus when collecting personal data has created the need for tighter security; particularly with increases in the number of significant data breaches, causing regulators great concern.
Regulatory Eye On Social Networks
The GDPR was developed with a regulatory eye on social networks and cloud providers, who market and store millions of personal records and associated information. With recent data leaks reported from the likes of LinkedIn, the challenges to companies protecting extensive personal information is not expected to improve significantly before regulations come in to force in May 2018.
GDPR: Changes On The Horizon
Some of the most significant changes to the legislation are listed below:
- Data collected will need to be fully explained, with full consent given by each individual and allowed to be retracted.
- Children must have the verified consent provided by a parent or guardian. Data concerning children is a particular focus of GDPR.
- Breach Notification – mandatory notification will be required within 72 hours, currently notification is encouraged by the DPA but not mandatory.
- Regarding fines, financial risk has increased significantly. Current fines are capped at £500,000. But higher level breaches will be subject to fines of up to 20 million Euros or 4% of annual global turnover (whichever is the greater).
- Privacy Impact Assessments (PIA’s) are now required for all projects and initiatives that can cause an impact on an individual’s privacy.
- There’s no disagreement that insight into customer and market behaviour is an extremely valuable business intelligence asset, but the risks associated with the detection, handling and the processing of data (particularly personal data) are about to escalate.
Q: Have organisations pushed big data requirements ahead of data security?
In short yes!
The rapid growth of social media has been written and commented on extensively. Marketing, PR and digital agencies were quick to push clients to “grow their audiences online”, predominantly on social platforms. And why wouldn’t they? People were freely sharing so much information on what they “like”, who they “follow” and what their opinion is. Plus the ability to track behaviour, clicks and user journeys meant marketers have never had it so good!
At the same time, the evolution of advertising online allowed ads to be displayed in a much more targeted and personalised way. Online media allowed the capturing of as much personal data as you could get away with, so products could be re-marketed to a growing database.
Globally, the public sector has also gone through a huge digital transformation in terms of digitising public records, medical records, criminal justice systems and cloud-based storage has removed the need for company-owned physical servers.
This has all happened in a relatively short amount of time, companies who have worked hard to align digital and IT practices are well placed to endure additional regulatory scrutiny regarding the handling of personal information, but those who are not currently GDPR compliant have just under 2 years to ensure that they are ready for the changes.
Getting Ready For GDPR
With data breaches now associated with larger financial risk, there are a few areas where companies can prepare themselves for changes to current data protection regulation:
- The increased financial penalties will, no doubt, concern the C-Suite of the worlds largest companies, brands and public institutions. Their buy-in to increased security procedures & resource is key,
- GDPR affects all companies with over 250 employees, so smaller companies will no doubt need additional support, they should seek support now,
- A full assessment or review of current data processing protocols is essential, working towards being GDPR compliant ahead of May 2018,
- Robust monitoring is key, so ensuring that data monitoring is done 24/7, 365 days per year to alert the company promptly for potential leaks,
- Monitoring on the wider web and dark web for the sale of data is also highly recommended as reporting breaches within 72 hours is essential to avoid the maximum fines,
- Updated policies and incident reporting processes are required to ensure staff and third party contractors are working towards the same data protection requirements,
- Provide training and update systems, documentation and processes to ensure any related team (e.g. IT, Marketing, Legal, Cyber & Compliance) are well versed in the changes,
- Crisp’s team are already working to ensure that our global clients are alerted to data breaches by our team of moderators who work 24/7 in multiple languages. We will continue to ensure our clients are accurately and responsively informed of any potential data threats in minutes and well within the 72 hours stipulated by the changes to GDPR.
To talk to us further about the changes to GDPR and how Crisp’s service is used to protect our global clients from regulatory pressures, please email email@example.com.