The General Data Protection Regulation (GDPR) will replace the Data Protection Directive as of the 25th May 2018, affecting the way your organisation should approach data privacy.
Summary of key changes
Organisations that breach GDPR regulations will be subject to financial penalties. For more serious infringements, fines will be up to 4% of annual global turnover or €20 million (whichever is greater). The fines will be based on a tier approach, for example a company will be fined 2% for not having their records in order.
This means Talk Talk's £400,000 fine for the 2015 cyber-attack would be over £71 million under the GDPR legislation.
The conditions of consent have escalated. Your organisation will need to provide consent requests that are given in an intelligible and easily accessible form, with the purpose or purposes for data processing attached to that consent. It must also be as easy to withdraw consent as it is to give it.
- Breach notifications: Customers will need to be notified of any data breaches that are likely to result in "risk for the rights and freedom of individuals" within 72 hours or "without undue delay".
- Right to Access: GDPR has called for a shift in data transparency which means your business will need to be able to provide customers or anyone you hold personal information about, a personal free copy of their data in an electronic format, upon request. This information must include whether or not their data is being processed and if so, where and for what purpose.
- Data Erasure aka Right to be Forgotten: Anyone that you hold personal data about will have to right to erase his/her personal data.
- Privacy by design: At the most basic level, this means that your organisation needs to implement measures from the onset of designing your systems. For example, only holding data that is absolutely necessary such as name and contact details, 'minimising' any relevant personal information such as age and ensuring access to personal data is limited to only those who need to act out the processing.
How will GDPR affect your telecoms infrastructure?
Under the new regulations your company will need to keep a do-not-call list of anyone that has said they do not want to receive calls. You must also screen these calls against the TPS and CTPS lists and ensure you always display your number.
- Can you wipe all the data from your company mobiles if a device is lost or stolen?
- If you're running a BYOD policy for mobile phones, do you let your staff receive their work emails via their phones? This removes your control over customer data.
- Are you utilising a security solution? Potentially virus ridden devices plugged into your computer systems for charging or synchronisation purposes could spread to your network.
Under the new GDPR regulations it is now even more vital that you are in control of your data and the security of your mobile devices. Protecting your mobile devices from any attacks is crucial as is a clear boundary between business data and personal data.
Here to help
We provide a Mobile Device Management solution that ensures you can detect and restrict jailbroken and rooted devices, set high-level password policies and remotely locate, lock and wipe lost or stolen devices, ensuring your corporate data stays safe. Furthermore, you can choose to blacklist certain apps to avoid viruses, control which members of staff have access and separate both business and personal content. Free basic version also available.
Using customer numbers for sending marketing messages over SMS? You'll need to ensure you include a form of opt-in for future SMS marketing and include an option to 'opt-out' in each message you send.
Do you programme customer numbers in your desk phones? You'll need to ensure you know where personal details are stored across your devices if you're faced with a right to erase claim.
Alongside outgoing mobile calls, your company will need to keep a do-not-call list of anyone that has said they do not want to receive calls for landline calls and screen calls against the TPS and CTPS lists. Ensuring you always display your number.
If you business wishes to record calls, you'll need to actively justify why, by demonstrating the purpose fulfils any of the following six conditions:
1. The individual involved in the call has given consent to being recorded.
2. Recording is necessary for fulfilling a contract.
3. Recording is necessary for fulfilling a legal requirement.
4. Recording is in the public interest or necessary for the exercise of official authority.
5. Recording is necessary to protect the interests of one or more participants.
6. Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call.