There is much talk right now across many industry verticals from Financial Services and Fintech to Transport and Retail about the General Data Protection Regulation (GDPR)
Many articles reference the significant fines of 4% of annual global turnover or €20 million, whichever is greater. Lots of references are being made to Customer Consent, The Right to Be Forgotten and Personal Information Data Security.
Beyond the fines, the buzzwords, what does GDPR mean for companies operating across the EU Member States? How can platforms like Xtremepush help get your house in order and thrive in this new environment?
For completeness I will firstly give a concise overview of GDPR, it’s implications, and then a high-level path to guide you through the challenges that it presents. It is worth noting that the legislation remains somewhat fluid at present until final transposition, and there are a number of points of ambiguity. That said, the key principles of the legislation are clear.
The GDPR legislates for the use of mobile devices, cloud-based solutions, data centres and the encryption of data regarding same. The GDPR is about the protection of Personally Identifiable Information Data (PII) and will be introduced unilaterally across all EU Member States in May 2018. It is important to note that the GDPR also requires data controllers and processors outside of the EU who offer products and services to EU residents, irrespective of whether or not data processing occurs in the EU. Despite Brexit, GDPR will continue to apply to the UK.
Under the legislation, Data Processors are for the first time legally bound to comply with data protection requirements and direct enforcement by regulatory authorities that previously applied only to Data Controllers.
Key Principles of the GDPR
- Personal Information Data and Security
- Privacy By Design
- Obligations of Data Controllers/Data Processors
- Customer Consent
- Right to Be Forgotten
- Reporting, breach notification and fines
- Potential requirement for a Data Protection Officer (DPO)
I’ll briefly explain the implications of each of these below:
1. Personal Information Data & Security
- GDPR broadens the definition of PII data to include any information relating to an identified natural person
- Online identifiers such as IP addresses and location data are now deemed to be Personally Identifiable Data
- Personal data must be protected in a manner that ensures appropriate security of the data, protecting against unlawful processing, accidental loss or damage with appropriate technical and operational measures in place.
2. Privacy by Design & By Default
- Data privacy is engineered across the life cycle of a product/service development
- The most strict privacy controls possible apply once a Customer acquires a new product/service with no manual privacy setting changes required.
- Standards and controls include the encryption and pseudonymisation of PII Data.
3. Data Controller/Processor obligations
- If you are a Data Processor and use data from a Data Controller for a purpose other than that intended by the Data Controller, you then become a Data Controller under the legislation.
4. Customer Consent
- A Customer must provide a statement or a ‘clear affirmative action', which may include ticking a box on a website. However, pre-ticking of boxes or similar inactivity is deemed to be an unacceptable form of consent
- In addition, explicit consent is required for processing of special categories of PII data (e.g. ethnic origin, political opinions, trade union membership, religious data, biometric data)
5. Rights to be Forgotten
- A Customer can withdraw consent at any time, which should be as easy as ability to give consent
- At the request of the Customer, all Personally Identifiable Data must be destroyed and removed from data storage platforms.
6. Reporting, notification and fines
- Where a breach of security leads to the release of identifiable PII data being disclosed, destroyed, lost, altered or stolen, the competent supervisory authority must be notified no later than 72 hours after the data controller has become aware of it
- If a data processor experiences a data breach, it must notify the data controller
- If a company is found to be in breach of the GDPR, it is liable for a fine of 4% of global annual turnover of €20m, whichever is the greater amount.
7. DPO requirement
- There are specific cases where it will be mandatory to appoint a Data Protection Officer (DPO)
- The appointment of a DPO is a pragmatic approach that ensures ongoing compliance monitoring, avoids the risk of breach and demonstrates best in class data management approach.
Xtremepush can help with your GDPR Compliance requirements
Here at Xtremepush data is right at the core of our business. We have developed a powerful platform which in itself addresses key GDPR compliance requirements, including a new module specifically for Customer Consent Management and Customer Data Management in the broader sense.
Our platform includes:
- Enterprise Grade security controls (passed multiple bank security tests)
- A Customer Consent module that enables real-time exclusion of Customer data across multiple channels, and an ability to manage Customer Consent not just at an individual level but also at a segment or group level if required.
- The platform has an inbuilt Real-Time Auditing Capability to report on Consent and PII data protection components.
- The right to be forgotten is enabled through the Customer Consent Management Module
- Our Agile Platform (cloud or on premise ) has been built with data protection and privacy rights at its core by design.
The architecture, controls and real-time auditing capabilities ensure that Xtremepush are perfectly positioned to manage your GDPR data protection, consent and right to be forgotten requirements, via a powerful, secure and resilient platform.
This is the first of a number of Xtremepush articles on GDPR. Over the next few weeks, we will publish further articles regarding GDPR, including updates on the GDPR legislation, the global impact of GDPR, use cases across a number of industries, and more details on how Xtremepush "Customer Consent Management" and "Customer Data Management" modules can help your business.