"Power back to the people" - are you ready for the GDPR?

Change is on its way, and in May 2018 the GDPR (General Data Protection Regulation – Europe’s new framework for data protection laws) will overhaul how businesses process and handle data.

The need for these new data protection rules have become essential due to the amount of digital information we create, capture and store. It has seen a massive increase in the past two decades and the old set of rules and systems in place is no longer fit for purpose. The fundamental purpose of the GDPR is to update data protection laws for the digital age.

As a group, Network Group, and as IT and tech resellers to our own client bases – and their clients in turn, we have been spending a lot of time becoming comprehensively informed and thoroughly knowledgeable in the upcoming new regulations that will affect all businesses across the board, and to help focus and steer ourselves and our clients through what is needed. These new data privacy laws are designed to give greater protection and rights to individuals.

Elizabeth Denham, the UK's information commissioner, who is in charge of data protection enforcement, says, "The GDPR is a step change for data protection. It's still an evolution, not a revolution". She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a "step change". The existing laws come from the 1995 Data Protection Directive, which is what the UK are currently using, and the new GDPR will bring changes on how the public, businesses and bodies handle personal information. This will be enforced by the Information Commissioner’s Office in the UK.

There are new rights for people to access the information that companies hold about them, and obligations for better data management for businesses, as well as a new regime of fines.

How will it impact?

Any individual, organisation and business that either controls or processes personal data will need to comply to the GDPR, which covers both personal data and sensitive personal data – the difference being that personal data broadly refers to information that can be used to identify a person, such as a name, address, IP address, and so on; sensitive personal data includes genetic data, information about religious and political views, sexual orientation, amongst others.

What does this mean?

With the new GDPR compliances, it will allow people to have easier access to the data that companies hold about them; a new set of fines will be imposed; and a clear responsibility for organisations to obtain the consent of people they collection information about.

Most big businesses will have already heard about the upcoming changes and will have taken measures to comply, but smaller businesses and start ups may not be giving it as much attention as they should.

To summarise some of the key changes to be ready for:

Accountability and Compliance

This is an area that Network Group has been creating focused awareness about, as companies will be more accountable for their handling of people’s personal information. And businesses should have data protection policies, impact assessments, and procedures in place as to how data is processed in the organisation. Procedures also include how massive data breaches are handled should this occur, as in the recent cases of yahoo and linkedin, for example. Under GDPR, the destruction, loss, alteration, unauthorised disclosure of, or access to people’s data has to be reported to the UK’s data protection regulator, ICO. This can include financial loss, confidentiality breaches, damage to reputation and more. “The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told,” says a source.

Privacy, opt-in’s and DPO’s

Some companies are intentionally deleting their customer email databases, for example, Wetherspoons. “For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that is held, how long it is being kept for and descriptions of technical security measures in place.”

“Additionally, companies that have ‘regular and systematic monitoring’ of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. It means the data protection will be a boardroom issue in a way it hasn't in the past combined."

There's also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in".

Access to personal data

Under the GDPR requests for personal information can be made free of charge, as opposed to being charged. When someone asks a business for their data, they have to provide this within one month.

For big technology companies as well as smaller businesses, all will have to give users more control over their data.

“The new regulation also gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no legitimate interest, and if it was unlawfully processed”.

How to prepare your business for GDPR

To help prepare for the start of GDPR, the ICO has created a 12-step guide. The guide, which is available here. The ICO's guide to GDPR is essential for both consumers and those working within businesses.

Organisations will also have to play by much tougher rules, which eventually may reduce data breaches. We have all got used to a world of 'free' services such as Facebook and Google. The price we have actually paid has been to freely give away our most personal information. For a while it may have seemed worth it but as technology has advanced so quickly, enhancing the collecting and analysis of data to reveal more and more intimate details, we've lost control over the information we share. Many organisations have also been careless with how they safeguard our data. It is right that this balance is redressed by GDPR.

Data protection in today’s IoT Connected World –

The challenge for Energy companies from a recent round table discussion is mentioned here as an example of what many other industries need to consider with their GDPR compliances, and the types of questions to pose to help you dive deep into your own organisations' compliances:

“The IoT provides the foundation for a fundamental re-engineering of our energy system creating opportunities to optimise supply, save money, increase revenue and improve environmental protection, choose suppliers, and enhance personal productivity and quality of life. Big data technologies, smart meters, sensors, the cloud and next generation analytics are the technical enablers of this opportunity, providing rich insight into consumer behaviour. This all brings new challenges for data protection and security however.

The General Data Protection Regulation new legislation is around the corner. This will apply in UK law from 25 May 2018, regardless of Brexit, will have significant implications for organisations of every size and sector.

There are significant changes and additional obligations for organisations. Among these are an expanded definition of personal data, additional requirements for collecting consent, changes to data breach notifications, including the introduction of rights to data portability, automated decision making and profiling. There are also significant fines for non-compliance.

This roundtable, bringing together government and industry experts from across the tech and energy industry, was an opportunity to discuss the implications of GDPR for the sector.

Specifically, discussions addressed some of the following issues:

  • What are the implications for smart metering infrastructure and data use for new market services?
  • Will GDPR change the products/services tech companies can offer? What are the opportunities and barriers it creates?
  • Does GDPR change how companies will seek to access smart meter data (via a CAD, the DCC, data porting etc)?
  • Is the energy sector and wider ecosystem ready for GDPR? Are there specific sectoral issues for the industry that should be considered?
  • How will tech companies react to the data portability rules of the GDPR? Are they prepared for sharing customer’s data with other companies (if requested) and what are their expectations of energy suppliers regarding data portability?
  • Does GDPR have an impact on competition or create the need for new delivery models?

“Clearly, GDPR is not a simple thing. It requires process, policy, and some moving pieces. The users own the data. But as the host, you own the process, and the liability,” says digital expert Jeffrey Scheidel. For many, it’s time to put some serious effort into ensuring your organisation is GDPR ready for May 2018.