The General Data Protection Regulation comes into place in May 2018, bringing with it a new era of accountability for organisations and transparency for consumers on how data is stored, shared and used.
At it's core, the General Data Protection Regulation is about requiring organisations to treat the information they hold as a valuable asset which they are looking after on behalf of consumers. This is going to require companies, and by extension their employees, to think about consumer's data in a different way.
Firstly, it is always the consumer's data and not the organisation's data. This is nothing new and has been true for approximately 30 years, but many companies still struggle with this concept. It doesn't matter that your organisation owns the system that house the customer's data, in the same way that a bank doesn't own a customer's money just because they own the vault.
What is new is that under the GDPR you have to have very explicit consent from clients as to whether or not you can store or use their data, and they can withdraw that consent at any point, asking you to either transfer it to a third party (for instance when changing utility providers) or destroy it.
All organisations who hold information relating to EU citizens need to start treating that information as a valuable commodity – if individuals in your organisation begin to equate data to money, they can start to get a sense of how important consumers data is.
You must ask someone's permission to use, store, or transfer their money and they have a right to ask for it back in a timely fashion – data is no different.
The second thing to be aware of is that all personal data matters. Your company or organisation can be in breach of the GDPR if you fail to secure and police properly all sorts of information belonging to a consumer and not just the obvious stuff.
Consumers PPSN numbers, credit card details and bank account numbers all may seem obvious items that need to be protected, but these parts of the the puzzle are far from the only items which need to be protected under the GDPR.
Individuals IP address(es), their email address(es), or any identifying characteristics like age, race, physical attributes, or gender are also valuable and are equally protected under the legislation.
Unless your organisation learns to treat data as an asset, it could rapidly lose it's own assets – the fines under the GDPR can be as high as €20 million and consumers also have the right to litigate under the new law. Understanding and complying with the GDPR is paramount.