The General Data Protection Regulation (GDPR) begins this May 2018. It may seem a long time away, but if you are only just looking into the new regulations for your business there is a lot to do to be ready for it.
Through the new GDPR regulations, businesses will have to follow strict processes when collection and storing personal data of EU citizens. Data can only be stored with the specific consent of the user and only for the purpose stipulated. Non-compliance will result in penalties of up to 20 million Euros or 4% of worldwide turnover, so it really is imperative businesses put the correct procedures in place.
Main Requirements of GDPR
Privacy notices – Privacy notices needs to be included in processes and systems. If anyone asks for their data to be completely erased, the system should be capable of doing this.
Right to data portability – Personal data needs to be securely transferable and obtainable from one data person to another.
Opt-in consent – Businesses need to make clear what it is they will be using the personal data for and explicit consent is required.
Right to be forgotten – Anyone has the right to access of their personal data and to ask for that data to be erased at any given time.
Non-compliance fines – Depending on the violation, businesses who are found to be non-compliant will result in penalties of up to 20 million Euros or 4% of worldwide turnover.
Strict rules for data breaches – If there is a data breach, businesses must inform the data protection authority and its customers within 72 hours of it occurring.
Business support systems will now need to be compliant with GDPR. This means they should be setup to ask for consent at every step of the way and have the capability of erasing complete data of a customer if they so ask for it. This is under the ‘right to be forgotten’ provision of GDPR, where businesses cannot hold any data without prior agreement and this data must be deleted at any time if requested by the user.
In addition, businesses will need to use encryption where possible to ensure no security breaches result in data being taken. Businesses will need to overhaul many of their internet-facing applications in order to adhere with this and regular testing will be required.
So, what will be the impact on the telecoms industry?
For the telecoms industry, those businesses who transfer information will need a system that adheres to the new regulations and be ready to delete data when requested. Internet Service Providers will also have to make sure they are compliant by only storing and using customer data with specific consent.
Data stored will also need to be segmented to ensure it’s used for the purpose it has been consented for, and this data will need to be separated from other systems to make sure it’s not accidentally used for other purposes. If you share data in electronic format i.e. if a consumer asks for a copy of their personal data, it’s wise to keep it in an ordinary standard format.
May 2018 is not far away. Make sure you are taking the correct steps to be compliant with the new GDPR regulations. Are your business support systems, providers and suppliers already taking steps in this direction? It’s worth checking it out.