The 25th of December will carry extra significance this year, with the day marking five months until the European Union’s (EU) new data regulations come into force.
While we are not recommending that those who process and manage data spend their Christmas locked up in a room devising a plan of how their business is going to comply with General Data Protection Regulation (GDPR), it is of utmost importance that you consider how your organisation is going to meet the requirements sooner rather than later.
The consequences for businesses of not meeting the new regulations are severe, with a fine of up to 4% of their annual global turnover or €20 million, whichever is greater. Businesses should also be aware that Brexit will not save them from having to comply with the requirements, as the UK government has already committed to introducing GDPR into UK law when the Brexit process is formally completed. Businesses with customers from EU regions would have had to comply with GDPR anyway, regardless of whether it was introduced into UK law.
In short, GDPR gives the following rights to individuals over their personal data:
- The right to be informed
- The right of access
- The right of rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
[Information available from Information Commissioners Office (ICO)]
For large businesses, the issue of data management is covered in parts by their ERP system, which along with their CRM system, holds huge amounts of personal customer data, a term that will be expanded under GDPR to include information such as IP addresses, user ID’s and location data.
A lot of the rights outlined above by the ICO can be met by simply adopting a default culture of responsible data management within your business, a culture that relies on those tasked with processing and managing data always referring to best practice procedures. Sizeable businesses may find they would benefit from hiring a Data Protection Officer, whose sole role it would be to ensure data compliance. The cost of hiring a member of staff would be far less than the potential fine for non-compliance.
The right that poses most problems for businesses, particularly in relation to their ERP system, is the one that stipulates that individuals have the right to be forgotten. Regardless of whether the information is stored in a large enterprise management system, or an office filing cabinet, businesses must be able to prove that every record of an individual’s data has been completely wiped. A tricky process and one that some businesses may not be fully confident they can complete with 100% certainty.
Locating and erasing personal data within an ERP system may not be as straightforward as many businesses would like to imagine it is, with the likelihood being that personal data will be stored in a whole host of different tables and areas, meaning the process of finding the data is likely to prove time-consuming to say the least.
With GDPR though, time is of the essence when it comes to locating an individual’s personal data. This is because GDPR now gives business only a month from the request date to present the data to the individual, a decrease in 10 days from the current allotted time-frame. Those businesses that have had substantial customisation work done on their ERP system may find the new timescale challenging. Businesses may find it beneficial to run a test in the months leading up to GDPR of how quickly they can locate an individual’s data from within their ERP software. At the very least, businesses should draw up a plan of how they intend to go about the process.
Add in that businesses must now receive positive opt-in consent from individuals, record their consent processes, receive parental consent for those under 16, as well as meet a whole host of other requirements, then it becomes clear that GDPR is an issue that businesses must start to plan and adjust for as soon as possible.