Businesses will face stricter regulations on data protection from May thanks to the EU’s General Data Protection Regulation. It’s focused on protecting the privacy of individuals, with some major penalties
If you’re a coach or bus operator, you will hold data on your customers. Thanks to the EU’s General Data Protection Regulation (GDPR), which applies from 25 May, you may need to make changes to how you hold and handle it.
The purpose of GDPR is to protect consumers against cybercrime. It is applicable to all organisations – including SMEs – and central to it is their consent. That means active agreement, and it will be necessary to show an audit trail of consent.
Individuals may withdraw that consent at any time. Their records must be deleted entirely, in line with the ‘right to be forgotten’.
Businesses must also be sure of exactly where data is held, and there are also tight reporting requirements should a breach occur. In other words, GDPR requires good data protection by design and default.
A sound footing?
As is typical of an EU Regulation, that concerning GDPR is an extensive document. The UK Information Commissioner’s Office (ICO) has issued guidance on how to prepare for GDPR, including a 12-step checklist.
The most important aspect is contained in the introduction. Although GDPR will replace current laws on data protection, many of GDPR’s main concepts and principles are much the same as those in the outgoing Data Protection Act.
“If you comply with the current law, then most of your approach to compliance will remain valid under GDPR and can be a starting point,” says the guidance. “However, there are new elements and significant enhancements, so you will have to do some things for the first time and do some things differently.”
A report by BT advises businesses that every process, IT application and area of infrastructure has to revolve around protection of privacy. Systems used must also be proactive, and not reactive.
The EU will take failures to observe GDPR seriously. Fines of up to 2% of turnover can be levied, while a breach of the rights of a person whose data is held by the company can lead to a financial punishment of double that.
What to do?
Besides ensuring that all of your relevant staff are aware of GDPR, the ICO advises businesses to document what personal data they hold, where it has come from, and who it is shared with.
Doing that will help them to satisfy GDPR’s accountability element. “That requires organisations to be able to show how they comply with the data protection principles, for example by having policies and procedures in place,” says the guidance.
The key to GDPR’s requirements, however, is individuals’ rights. “On the whole, they are the same as those under the Data Protection Act, but with some significant enhancements.
“If you are geared up to give individuals their rights now, then the transition to GDPR should be relatively easy,” says the ICO document.
If an individual makes a subject access request, organisations will have less time to comply. Individuals will have the right to complain to a supervisory authority if their request is refused, and a stronger right to have all of their data deleted.
Children’s needs
Importantly for operators who hold records of children that use their services, GDPR brings in special protection for youngsters. If you rely on consent to collect information about them, you may need a parent or guardian’s permission to process that data lawfully.
“Achieving compliance with GDPR requires more than putting a new process or piece of technology in place,” warns the BT report. “Organisations have to look at their entire security landscape, because it underpins their efforts to understand and protect their data. Without a successful security strategy in place, they will suffer the financial, regulatory and reputational consequences that follow a serious breach.”
Although it may sound like more red tape – and despite Brexit, GDPR will become part of British law thanks to the Great Repeal Bill – BT says that it is also an opportunity for businesses.
“GDPR offers an opportunity to review and redesign security strategies in a way that protects data against new and existing threats, and builds a strong brand based on public trust,” it says. “As long as data is protected, digital transformation is the way forward.”
Whether you are a coach or a bus operator, there is no doubting that IT and cloud-based computing will play an ever-increasing part in your business’ day-to-day dealings. Data breaches have been reputational disasters for those organisations that have suffered them; GDPR will protect your customers, and it will also protect you.
Read the ICO report at bit.ly/2D6vZqy
routeone comment
No operator will react to GDPR with glee, but as detailed in the ICO guidance, those organisations that practice good data security are already in a good place to comply.
The potential for significant fines should GDPR not be observed, or if a data breach occurs, are clear. In both cases, but particularly the latter, reputational damage is likely to be just as serious, considering that operators’ relationships with their customers are built on trust.
Time to prepare for GDPR is running out; it is four months away. There are many reports, guidance documents and sundry else online, and various organisations can give advice on the subject.