Saturday 19 August 2017

New regulations are not just a tech problem - now everyone must act in protecting consumers' data

The burden of proof is on the organisation to show that they have taken care of the consumer’s personal data in a compliant way. The potential for litigation under the new regulations is immense (Stock picture)
The burden of proof is on the organisation to show that they have taken care of the consumer’s personal data in a compliant way. The potential for litigation under the new regulations is immense (Stock picture)

Harry Leech

The new General Data Protection Regulation (GDPR), which comes into effect in May 2018, will bring significant and far-reaching changes to how companies approach the protection of data belonging to EU citizens.

All companies holding any personal data belonging to an EU citizen - whether or not the organisation or the citizen are based in the EU - will be bound by stringent procedures when it comes to collecting, protecting, and storing that data.

The type of data that is covered is greater than many businesses realise. It is not just information such as passwords, pins or dates of birth that companies and other organisations will be legally obliged to protect and treat ethically, but also customers' location data, social security numbers, IP addresses, and email addresses, as well as any and all details on physical characteristics such as age, race, physical attributes, or gender.

In short, the regulation covers anything that could be construed as "personal data".

The GDPR also includes new obligations, such as data anonymisation, a requirement to notify data subjects (consumers on which you hold any data) within 72 hours if a breach occurs, as well as requiring higher standards of consent and also codifying how and when consumers can ask for their information to either be transferred to a third party, or destroyed.

While thinking about all of the new obligations the GDPR entails may lead some to adopt an "ignorance is bliss" approach, the penalties for not complying with the new regulations should cure that pretty quickly. For what are deemed "serious breaches" the fines amount to €10m or 2pc of total worldwide annual turnover (whichever is greater) and for "very serious breaches" the penalties reach €20m or 4pc of total worldwide annual turnover (again, whichever is greater).

Those eye-watering figures are not the end of the financial incentives however. For the first time in Ireland consumers who are "data subjects" will have the right to sue for non-material damage, even if they cannot prove that they have "demonstrably suffered" due to an organisation's negligence with their data. (The consumer can still litigate in the case of material damage arising from data privacy breaches).

In layman's terms, what this means is that the person whose data you have access to doesn't have to prove that anything bad has happened to them as a result of their personal information being held in a way that does not comply with the new regulations.

The burden of proof is on the organisation to show that they have taken care of the consumer's personal data in a compliant way. The potential for litigation under the new regulations is immense.

A lot of the focus on the GDPR has come from the technology sector over the past two to three years, in part because for big data companies - such as cloud computing companies - anyone involved in technology and 'big data', the potential downside if they are found not to be compliant is particularly significant - the more data you hold, the greater the possibility that you may have a human or technological error or an attack by hackers.

This has led to a misconception on the part of many companies that the GDPR is a technology law that poses challenges that must have some sort of technological "fix", but it is not. Whether you keep your mailing list on a USB stick or have a printed copy, if an employee loses it your organisation is just as culpable.

Likewise, it doesn't matter whether you are a for-profit organisation or a charity.

A healthcare company that purposefully shares consumers' health records with a third party without the consumers' consent will be in breach of the GDPR, as will a voluntary organisation which accidentally loses the direct debit details of regular donors - the only difference is in the size of the fine handed down.

The DataSec 2017 conference takes place on May 3 in the RDS in Dublin. The event will provide expert speakers, information and insight to help your business comply with GDPR and get the most out of the new legislation. For tickets see: https://eventgen.ie/dublin-data-sec-2017

Sunday Indo Business

Also in Business