Starting next May, businesses operating in the United Kingdom (UK) and European Union (EU) will need to comply with the General Data Protection Regulation (GDPR) which will replace the current Data Protection Act. Whether you are ready for it or not, the General Data Protection Regulation (GDPR) is almost here, and it’s going to impact every digital managerial practice. By replacing the Data Protection Act, the new regulation not only entails aspects surrounding data protection, but it also contains laws regarding newly enhanced technology, as well as obligations and responsibilities that organisations will have when it comes to handling the information about EU citizens. It is thus crucial to understand how this regulation will change business practices, with these five tips:
1. ‘Personal data’ definition will change
Any company that handles personal data of an EU citizen, either B2B or B2C, GDPR will apply crosswise. While the GDPR is technically an EU initiative, it will have a global impact, regardless of the UK’s Brexit decision. Personal data definition will also be broader. Starting May 25th, according to its description, any data that can be used to identify an individual, such as business contact data, genetic, mental, cultural, economic or social information.
2. Data Protection Officer
If your business schedule implies processing data on a larger scale, you will need a Data Protection Officer (DPO). It is not the size of the company that matters, but the amount of data it handles on a regular basis. In simple terms, this means that SMEs and small businesses may need to hire someone to ensure that personal data processes, systems and storage are in accordance with the GDPR regulation.
3. Privacy Impact Assessments
Privacy Impact Assessments (PIAs) are part of a preventing step that will be introduced to businesses to mitigate the knock-on risk to individuals. If you run projects that involve personal data, a PIA must be carried out, while the DPO will then have to make sure they comply with the GDPR during the project.
4. More evidence of the ‘valid consent’ process
The data that the platform wants to collect from an individual must be clear and simple, under the GDPR norms. More than that, companies must communicate how it will be entirely processed. Valid consent from a user also needs to be obtained, rather than by an assumption that it has been given.
5. ‘Right to be forgotten’
To reinforce the ethical best practices, businesses under GDPR will not be able to hold or retain any data for longer than what is necessary. Subscribers, users or clients can request the ‘right to be forgotten’, where the organisation must entirely delete the information about an individual. In addition to this, companies will not be able to manipulate data from what it was initially agreed for. If they wish to do so, they must obtain a new and updated consent from their users. If this is too much information, do not worry! Talk to us; the EMBERS team is already working on ethical and privacy principles suggested by the GDPR to turn our Mobility platform fully-compliant!