The General Data Protection Regulation will lead to long-term implications for businesses and individuals in the European Union. Considering that data privacy and security remains a hotly debated topic across the globe, businesses would do well to start taking appropriate measures and be GDPR compliant ahead of next year’s deadline. Brian Coombs, Product Director at Cerillion, chips in with more details on the subject...
What is GDPR?
The General Data Protection Regulation (GDPR)
demands all companies to adhere to strict processes and procedures while collecting and storing personal data of European Union (EU) citizens. It aims to strengthen data protection efforts for all residents of the EU, and also ease the regulatory environment for international trade by offering a uniform regulation throughout the EU. GDPR comes amid a backdrop of an increasing demand for data privacy
and a global climate of fear over possible data vulnerabilities.
When is the deadline to become GDPR compliant?
This new law will come into force in May 2018, and will replace the archaic Data Protection Directive
. While that still seems quite a while away there is a lot to do and this transition period will allow organisations to set in place processes that will help them manage information (data) flow more effectively.
What is the scope of GDPR?
GDPR does not apply to all organisational information, but only Personally Identifiable Information (PII)
. Again, the idea is that this personal data should be stored with the explicit consent of the user and should only be used for the purpose specified while obtaining data. Both data processors as well as data controllers are liable under GDPR. All companies within the EU are subject to this regulation, regardless of where the data is stored and processed. The jurisdiction of GDPR also covers businesses outside the EU which offer goods and services to EU residents.
What are the key provisions of GDPR?
Privacy by design and default –
GDPR needs organisations to include privacy in their processes and systems by design. This means that all the company software and systems should adhere to the key tenets of GDPR. For instance, the software should be able to completely erase personal data if required by the data subjects.
Right to be forgotten
- Before we examine this provision, it's worth recalling the story of Spanish resident Mario Costeja González
. Back in 2009, the Spaniard began a five-year battle with Google when he discovered an incriminating story about himself from 1998. Costeja wanted Google to remove links to the story which were not relevant to his life anymore. With the help of the Spanish Agency of Data Protection, he knocked on the doors of the European Court of Justice which ultimately ruled in his favour. This decision underlined the importance of the 'Right to be Forgotten'. Organisations cannot hold any data without prior approvals and need to have strict mechanisms in place to delete data if requested by users.
Right to Data Portability
– GDPR allows data subjects to obtain and transfer personal data, from one data controller to another, in a safe and secure fashion. This provision allows individuals to leverage their personal data for their own benefit.
Explicit opt-in consent
– GDPR strengthens the case for explicit opt-in consent from customers before using their personal data. Control over one's personal data, a simmering issue in the US
, is a big aspect of GDPR. Under the regulation, the data subject is completely in control of their own data. Organisations also need to make sure that they communicate clearly while asking for personal data and also clarify about its intended usage.
Harsh non-compliance fines
- The regulation places strict demands on businesses as non-compliance will result in penalties of up to 4% of worldwide turnover or 20 million Euros, depending upon the nature of violation.
Stricter rules for data breaches –
Breach notification is another key provision of GDPR. Under this provision, it will become mandatory for organisations to notify the data protection authority and customers within 72 hours of a data breach.
What will be GDPR's impact on BSS?
GDPR will place newer demands on Business Support Systems (BSS) and organisations will have to make sure that all their systems and processes are aligned with the provisions of the new regulation. Modern BSS and OSS solutions must have compliance with GDPR as the new default. The systems should be geared to ask for consent at each step and be capable of erasing a customer’s entire data footprint if requested. Here at Cerillion, we have been following closely the recommendations regarding the interpretation of GDPR and have been preparing our solutions to ensure our customers are ready ahead of the May 2018 deadline.
Businesses should also use encryption wherever possible, to ensure that a security breach doesn't snowball into a data breach. In addition, organisations falling under the GDPR legislation must now conduct rigorous testing and hardening of all internet-facing applications. To this end, Cerillion uses independent security specialists to regularly test our online applications for all known vulnerabilities.
What will be GDPR's impact on telecoms businesses?
The impact of GDPR on telcos will be far greater than just the BSS/OSS. Those businesses that transfer information for data warehousing, reporting and marketing purposes will now need to be ready to delete or 'anonymise' these data sets. Internet Service Providers will also have to make sure that they store and use consumer information only with explicit consent and when it is not easily linkable to a single individual
Businesses that need to store data for legitimate legal purposes will now need to separate this data from other systems so that this data is not accidentally processed for other purposes. In addition, the appointment of Data Protection Officers (DPO) will be mandated for data controllers where monitoring and processing of personal data is done on a large scale. On the positive side, this will also ease out the burden on international businesses who had to deal with local DPAs in the current regime.
Another important area for CSPs will be data portability. Telcos should be able to provide consumers a copy of their personal data in an electronic format. This means they need to keep this data in a structured and commonly used standard electronic format. A straight dump of tables from lots of disparate systems is unlikely to make the cut here.
Telcos will spend millions of pounds to bring their businesses under GDPR compliance. To make sure that your organisation is GDPR compliant, make sure that your BSS/OSS providers are already taking steps in this direction. If your suppliers have not started planning for GDPR, we strongly urge you to look elsewhere!
GDPR is not a problem, it's an opportunity
Yes, the clock is ticking on GDPR and we are about one year away from this law coming into force. This regulation will impact just about every business in the EU. There has been some discussion over whether the UK will escape this after Brexit, but clearly that's not the case
. Organisations will need to work with all of their suppliers and vendors to ensure they are given the tools and support needed for compliance. But there is no one-size-fits-all when it comes to GDPR. Companies that are going to be GDPR compliant will need to figure out their own requirements in line with their business dynamics and unique circumstances.
The final word – don't look at GDPR as a problem, embrace it as an opportunity instead! The short-term inconvenience caused by GDPR will allow businesses to clean up their act and improve business efficiency. The inbuilt privacy mechanisms will help them gain consumer trust and loyalty, and ultimately improve sales. Moreover, this move also comes at the cusp of a data explosion with the Internet of Things (IoT). In that sense, companies can truly future-proof their business with GDPR.
Our customer management solutions can help you achieve GDPR compliance. Explore now