In little more than a year, new data regulations will be enacted in the EU. Do you know what data your company collects from its customers?
On 25 May 2018, the new General Data Protection Regulation (GDPR) comes into effect, and the fallout could be enormous.
Significant financial penalties will be in place for companies that break new rules, with misuse of private customer data potentially leading to fines of up to €20m, or 4pc of an organisation’s revenue.
Earlier this month, Pat Moran, head of PwC’s cybersecurity and IT forensics team, predicted a steep rise in litigation brought by EU citizens against companies in the wake of these changes.
“We expect consumer litigation and class actions to quickly follow once this regulation goes live, as has happened in the US,” he said.
“We are already seeing niche legal firms being established to cater for the anticipated demand, which could see another personal protection insurance debacle emerging.”
Part of the problem, it is assumed, is the potential for confusion – among both companies and the public – about what data is used, what is fair use, what is not etc.
Last December, Helen Dixon, Ireland’s Data Protection Commissioner, began publishing guides on how to understand the upcoming regulation. The December document came with a warning of how the GDPR gives data protection authorities more robust powers to tackle non-compliance.
In March, a group called the GDPR Awareness Coalition emerged to help out even more, initially publishing a six-point plan for companies operating in the energy space.
Now the group’s advice has broadened, with a similar release describing the landscape pretty well, following the journey of data with the relevant ‘what’ and ‘why’ questions throughout.
Understanding the life cycle of the personal data you control, according to the coalition, is key.
For example, as a company, are you gathering sufficient data for the purpose of your business? What is that purpose?
After those basics are dealt with, a look at how and where the data is held, as well as the auditing process is very important.
Security, timelines and key identifiers are some of the final concerns, with individual requests for information almost a guarantee when GDPR takes hold.