GDPR is upon us, it affects everyone and the fines are huge! It’s not the most glamorous of topics but the General Data Protection Regulation (GDPR) is going to affect every single EU citizen and beyond and as an organisations that have a database of any kind it’s very important to get on board no matter where you are. Don’t think that just because you are outside of the EU that you can stop reading, you are affected too.
What is the GDPR
The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon.
The EU’s GDPR website says the legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information
The Spirit of the GDPR is to protect the personal data of anyone in the EU, whether you are an EU citizen or whether you just live in the EU then you and your personal data are covered.
Do I need to take it seriously?
If you are an organisation and you handle data, perhaps in Microsoft Dynamics 365 or any other database system then yes you need to take this seriously. Whether you are the owner of the data or you are accessing and processing it on behalf of another organisation you are in scope. Oh, and by the way…Brexit doesn’t matter GDPR will still apply after Brexit!
When is it happening?
GDPR is already in place! The fact that the GDPR is a regulation and not a directive means that as soon as it was signed off (May 2016) it became law in all EU member states (including the UK before and after Brexit) The deadline of May 25th, 2018 is the one getting a lot of attention because that marks the end of the 2 year compliance period after that date fines will start to be introduced to organisations not complying. With fines of up to €20,000,000 or up to 4% of your global annual turnover, you can see that this regulation comes with a very heavy enforcement stick. It’s meant to be taken seriously and the size of the maximum penalties are designed to dissuade organisations from being lax about it.
And by the way, don’t think that’s the end of the punishment. Individuals will have a right to take non-compliant organisations to court and sue, which can be even more expensive. Not to mention the hugely negative publicity.
My business is in the United States so I don’t have to worry …right?
The very essence of the GDPR is about giving back control to EU citizens and residents with regards to their personal data that is held on various systems the world over. Previously there have been different rules in each EU country regarding data protection, the GDPR is designed to unify all the rules into one regulation. As a EU citizen my data is protected by the GDPR even if a Non-European company is holding and managing that data. Imagine a company like American Airlines holding information on European passengers.) The scope for this regulation is that if you touch EU data then you fall within the boundaries.
So what does it mean for the individual
It means that individuals are given, by law additional rights such as;
The Right to Erasure – This is being referred to as the “Right to be Forgotten”. Article 17 of the GDPR states that the individual has the right to ask you (the business owner) to remove their data from your systems completely. And this is something that as an organisation that manages and processes data you need to comply with. Unless there are very exceptional circumstances (which are laid out in the regulation) such as a bank needing to keep data for up to 7 years by law or where the data is supporting legal claims (such as insurance companies)
The Right to Portability – This is a new one for most organisations and what it means is that a customer, for example, can ask you to remove their data from your system and send it to a competitor. Imagine the scenario of a customer changing energy supplier or pension supplier. As an organisation you are obliged to do this if asked. The customer may want to do this themselves in which case you will need to provide their data in easy to use format so that they can pass it on to their new provider. “Easy to Use” – meaning that a pdf document is no good because it is not useful for importing into other systems, so in this case a CSV or excel documents would be more appropriate.
The Right to be Informed – If an Individual has consented to their data being used then they have the right to be informed about anything that is done with that data and what it is used for. They have the right to access that data whenever they want and to withdraw consent whenever they want
The Right to restrict Processing – If an individual decides to “block” or suppress processing you are permitted to store personal data but not process it any further.
Machine Learning and Profiling – In addition there are rights related to automatic decision making and profiling (Think here of the Customer Insights machine-learning type technology that is now starting to be being implemented in Microsoft Dynamics 365) the details here are a little fuzzier but it states that safeguards must be in place and that inaccuracies regarding a derived customer profile must be able to be corrected and that appropriate mathematical or statistical procedure are used to create the profile.
What counts as personal Data?
GDPR breaks the types of personal data into two main types
1. Personal Data – Any information relating to an identified or identifiable natural person such as name, email address, Ni Number, or even an online IP Address
2. Sensitive Personal Data – Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
There are strict levels of control regarding both types of data within GDPR and it is recommended that all organisations (whether data controllers or processors) become familiar with these controls in preparation for GDPR compliance. Very careful consideration must be given as to how much data is collected by whom and even how. And who can see and use this data and in what circumstances. Obviously, you will want to make sure that any sensitive data is protected and only viewable by people who need to see/use it.
Microsoft is fully aware of GDPR and has set up the “trustCenter” (https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx ) to help partners and customers prepare for the changes
GDPR The latecomer’s guide – Part 2, 3 and 4
In the next post we will look at the GDPR in a little more detail and explain some of the terminology in a simplified way and what it means for you as a small business and then in the third and fourth posts of the series we will look at how we can implement some of these levels of security using the standard out of the box features of Microsoft Dynamics 365 as you prepare for GDPR
Contact us and ask about a Microsoft Dynamics 365 GDPR workshop day to explore how to adapt your system for GDPR