The New GDPR Rules Focus On Consumer Protection

It’s very clear that the new GPPR rules put consumers in the driver sseat whilst the businesses responsible for handling customer data has to comply with the regulations.
 
Businesses that fail to follow the new rules will face tough and potentially damaging penalties of up to 4% of their company’s annual global revenue or a fine of 20 million Euros, whichever is greater.
 
Here are the key requirements for consumer rights:
 
1. The right to access: individuals have the right to request access to their personal data and to ask how their data is used by a company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
2. The right to be forgotten: Consumers which are no longer customers can withdraw their consent from a company to use their personal data, and have the right to have their data deleted.
3. The right to data portability: Individuals have a right to transfer their data from one service provider to another. It must happen in a commonly used, accessible, readable format.
4. The right to be informed: Any gathering of data by companies, and individuals must inform the customer/citizen before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than automatically presumed.
5. The right to have information corrected: This allows individuals to have their data updated if it is out of date or incomplete or incorrect.
6. The right to restrict processing: Individuals can request that their data is not used for processing. Their records can remain in place, but not be used.
7. The right to object: This allows individuals the right to stop the processing of their data for direct marketing without any exemptions. Any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
8. The right to be notified: If a data breach has occurred which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
 
How could GDPR affect your business?
Whilst regulation itself is needed to ensure businesses operate fairly, some regulation can hinder business and make daily operations bigger tasks than they once were. Regardless of whether the data processing takes place within the EU or not, the new regulations apply to all businesses established within the EU and even non-EU established businesses will have to comply with the GDPR. Any business that offers goods or services to customers within the EU, will be legally required to follow the new regulations.
 
Whilst the management of data will become an IT issue, it should also be a major area of concern across the whole company, in particular the sales and marketing department.
 
Implications for Businesses
The new GDPR rules allow individuals the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.
This means you have to be able to prove that the individual agreed to a certain action, for example to receive a newsletter. Companies cannot simply add a disclaimer, or ‘small print’, and providing an opt-out option is not enough.
 
This means that companies will have to seriously consider their methods of marketing and sales activities and how they legally obtain data.
 
Companies will need to review business processes, applications and forms to all be compliant with double opt-in rules and new email marketing rules. If a customer wishes to subscribe to a company’s communications, they will have to fill out a form or tick a box and then confirm it was their actions in a further email (known as double opt-in).
Companies must also prove that consent was given by the customer should a case arise where an individual denies receiving the communication in the first place.
 
In order to do this, any data held must have a clear audit trail that is time stamped with details of how the customer opted in and when.
 
Even if the company uses third party marketing lists where the vendor confirms the data is fit for purpose, the company is still responsible for obtaining the correct customer consent. One popular way for B2B businesses to obtain data is in person at networking events and trade shows. Many sales people currently take the names and emails of prospects and then manually add them to a mailing list. Even though the customer willingly gave their data, this will not be allowed come May 25th 2018.
How to prepare your business for GDPR?
 
Any company that works with personal data should appoint a data protection officer within their compliance team whose sole purpose will be to ensure the business operates legally when sourcing, storing and managing customer data. 
 
There are many things companies will have to focus on in order to be compliant with GDPR. Here are just a few first steps for your business to consider:
 
1. Track your company’s data
Map out where all of the personal data in your entire business comes from and document what you do with the data. Note where the data is stored and who as access to it.
2. Determine which data you need to keep and which you do not
Only keep information that is necessary and remove any data that isn’t used or expired. GDPR will encourage a more disciplined treatment of personal data and companies that hold onto heaps of data, regardless of whether it is being used or not, will be fined.
Things to consider when cleaning up your data:
• Can this data be erased instead of archived?
• What is the purpose of saving all this data?
• What is the purpose of collecting all these categories of personal information?
• Is the financial gain of deleting this information greater than encrypting it?
3. Take relevant safety measures
Should a security breach arise, have the correct infrastructure in place to deal with issues in a compliant fashion. Put security measures in place to prevent any data breaches, and take quick action to notify individuals and authorities in the event a breach does occur.
As previously mentioned, outsourcing data from third parties doesn’t exempt you from being liable. Make sure your data providers have also followed the correct security methods.
4. Regularly review your documentation
Pre-checked boxes and implied consent will not be acceptable under new GDPR and consumers need to explicitly consent to a company using their data. Business will need to regularly review all privacy statements and disclosures and adjust them where needed.
5. Create compliant procedures for handling personal data
As part of the new regulations, individuals have 8 basic rights which will need to be considered by companies when planning how to obtain data.
 
Things to consider:
 
1. How can individuals give consent in a legal manner?
2. What is the correct process if an individual requests their data to be deleted?
3. How will the business ensure that the request is met and data is deleted across all platforms?
4. How will the business transfer data should the consumer request it?
5. How will the business confirm that the data genuinely belongs to the person requesting it?
6. What is the plan in the event of a data breach?
 
Whilst new regulations can bring challenged to businesses as well as un-planned associated costs, it’s important to see the bigger picture and possibilities for companies in the future.
 
Safeguarding consumer data will help create more good quality companies and improve the relationship between the customer and company. Companies that comply and choose to be transparent with consumers can in turn nurture a longer more valuable relationship with consumers.
 
ConstructaQuote
 
You Might Also Read: 
 
 
 
 
 
 
« MI5 In The Clear Over Terror Attacks
First EU Cyber Defence Exercise »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Privacy Professor

Privacy Professor

Privacy Professor provides information privacy, security and compliance services, tools and products to organizations in a wide range of industries.

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute is an independent non-governmental organization that focuses on research and analysis of security challenges including defence and cyber security.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

Alyne

Alyne

Alyne is a Munich based 2B RegTech offering organisations risk insight capabilities through a Software as a Service.

Hunters.AI

Hunters.AI

Hunters is the world's first autonomous hunting solution that leverages top-tier cyber expertise and AI to uncover hidden cyber threats.

Genians

Genians

Genians provides the industry’s leading Network Access Control (NAC) solution, which ensures full visibility of all IP-enabled devices regardless of whether they are wired, wireless, or virtual.

Danish Maritime Cybersecurity Unit

Danish Maritime Cybersecurity Unit

The Danish Maritime Cybersecurity Unit is tasked with delivering the initiatives set out in the Cyber and Information Security Strategy for the Maritime Sector.

Findcourses.co.uk

Findcourses.co.uk

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

British Security Industry Association - CySPAG

British Security Industry Association - CySPAG

CySPAG is a special interest group within the British Security Industry Association (BSIA) focused on reducing the risk of product related cybercrime.

Alcon Maddox

Alcon Maddox

Alcon Maddox is a niche recruitment and executive search firm specialised in sourcing exceptional Cyber Security sales and commercial leadership talent. Serving clients across the Middle East & Europe

Quantum eMotion (QeM)

Quantum eMotion (QeM)

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.

Security BSides Cayman Islands

Security BSides Cayman Islands

Security BSides is a non-profit, community-driven event built for and by information security community members. Our aim is to help build an Information Security community in the Cayman Islands.

Capgemini

Capgemini

Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. Areas of expertise include Cybersecurity.

Interactive

Interactive

Interactive are a leading Australian IT service provider with services in Cloud, Cyber Security, Data Centres, Business Continuity, Hardware Maintenance, Digital Workplace, and Networks.

Umbrella Cyber

Umbrella Cyber

Umbrella Cyber specialises in Cyber Essentials and Cyber Essentials Plus Certification and penetration testing.

Rite-Solutions

Rite-Solutions

Rite-Solutions is an award-winning software development, systems engineering, and information technology firm.