The 5 Key GDPR Changes at 100 days and counting
September 2nd marked 100 days since the General Data Protection Regulation (GDPR) came into force. The new rules marked a much-needed update to the UK’s aging 1998 Data Protection Act.
The update had been a long time coming. So what have we learned so far? Here’s five ways that GDPR has shaken up the way we gather, store and process data.
1. Effective data management starts with discovery
With the amount of data collected and stored by organisations large and small, data discovery has played a major role in achieving GDPR compliance.
What’s more, being able to react to changes in user habits and trends, like permanently deleting social media accounts or customer history and interactions, has added complications to data management that must be addressed.
Advances in technology, like Big Data and Machine Learning, have added a level of simplicity to creating a data inventory. When implemented correctly, these principles can be used as part of an eDiscovery and data mapping process with the ability to rapidly find and categorise data and to do so on an on-going basis – ensuring continual compliance for an organisation rather than just at a single point in time.
The added benefit of a digital discovery process is that unknown data is often identified and located. It’s vital that all data is accounted for to ensure compliance. After all, you don’t know what you don’t know.
2. The price of non-compliance
Failure to comply with the GDPR can lead to heavier punishments than ever before. Fines for malpractice have increased from a maximum of £500,000 up to €20 million, or 4% of annual turnover (whichever is higher).
What’s more, individuals can sue a business for compensation to recover both material damage and non-material damage, like distress.
Article 82 of the GDPR states that any person who suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered.
Therefore, it’s possible that compensation claims could reach huge numbers if a breach occurs on a large scale under the new rules, increasing financial losses as well as consuming vast amounts of time dealing with individual litigation. Just consider the recent British Airways data breach, where BA revealed that 380,000 customer transactions had been compromised. As well as potentially facing an enourmous fine under GDPR, it may be the case that every customer will be eligible for compensation.
3. Dealing with SARs
Subject Access Requests (SARs) are not a new component of the GDPR, they were first introduced under the 1998 DPA. However, GDPR has made several changes to the way that SARs (or a Right of Access as they are known under GDPR) operate which organisations must be aware of.
To begin with, organisations can no longer charge for producing SARs, and they have less time to complete them (one month, instead of 40 days).
Exonar’s own research found that many organisations struggled to meet the deadline for providing answers to FOI requests (FOI requests must be completed within 20 working days), highlighting the difficulty that many will face complying with requests under the new GDPR requirements.
The time taken by public sector organisations to respond to an FOI varied from one day to 159 days. On average it took 24 days, with the NHS averaging 27, emergency services 21, central government 22 and local government 23 days.
In another survey Exonar carried out before GDPR came into force, 57% of individuals said they would want to request their data as there is now no cost. This means organisations need to ensure they are prepared for a significant increase in the number of requests they handle.
They also need to ensure they are giving users the data they are expecting. For example, Spotify users recently noticed that although they have access to data download tools, to get hold of all of the data held – such as telemetry or A/B testing – a SAR needed to be sent to Spotify’s privacy team.
But the latest technology can help. Platforms are available that can map and understand any information held and create an index which can then be searched in seconds, no matter how much data is held. This greatly reduces the time and cost of managing data and compliance, and in fact it can reduce the cost of processing a SAR to zero.
4. Understand your data
Achieving compliance with the principles of GDPR is an ongoing task, but it becomes a simple one with added benefits once you understand the data you hold and how it’s processed. A completed audit shouldn’t mean you then stand still. Data should be continually reviewed to better organise and refine management processes.
Removing risk, especially if it’s data that has no value, is vital. When you understand your data, it makes it much easier to identify and act on duplicate, obsolete or redundant data and therefore minimise storing and processing costs.
The latest tools are able to search your sensitive information and index files in any format, no matter where the data is held, such as mail servers or the cloud. This means locating and understanding information like passwords, credit card details and confidential records is simple.
5. Beyond GDPR
Although it applies mainly to data processing, the effects of GDPR are far reaching and a successful programme of compliance often brings additional benefits, such as improvements in efficiency and productivity, tighter cyber security and increased customer loyalty and trust.
Of course, in a perfect world, data would already be stored securely and processes would be in place to ensure continued compliance.
But the good news for any businesses concerned about GDPR compliance and surviving the next 100 days is that the tools mentioned above are all available today. And not only will they help you become compliant, but they will ensure you remain compliant and in control of your data.
Adrian Barrett, CEO and founder, Exonar
To find out more about the tools that can help you to discover and understand your data, visit exonar.com. For specific help with SARs, see sarlution.com.