When the GDPR data protection regulation comes into force on 25th May 2018, a Symantec survey has revealed that 9 out of 10 businesses are not confident that that they will be able to delete customer data on request.
Right To Erasure.
One of the many important impacts of GDPR will be the ‘right to erasure’ which builds upon the ‘right to be forgotten’ when it comes to customer data. Under Article 17, controllers will have to erase personal data “without undue delay” if the data is no longer needed, the data subject objects to the processing, or the processing of the data was unlawful. In short, if customer asks for you to delete all of the data you hold about them you will have to do so quickly or face steep financial penalties.
Unfortunately a recent survey by security firm Symantec shows that 9 out of 10 businesses think it will be difficult for them to delete customer data if they receive a request, and only 4 out of 10 companies have a system currently in place that allows them to do so. This raises questions about how prepared UK businesses are for GDPR and how vulnerable they are to the risks of non-compliance.
Another finding of the same survey is that 35% of UK business and IT decision makers don’t think that their companies take an ethical approach the securing and protecting of customer data. This highlights what appears to be a different attitude between companies and consumers about the importance of data security.
Data Protection Very Important To European Consumers.
It is worth companies taking note however of what an important issue data security is to consumers across Europe. The Symantec report reveals that no less than 88% of European consumers think data security is the most important factor when choosing a company. A similarly high amount (86%) think that data protection is even more important than product quality!
Not Prepared Yet.
With the introduction of GDPR less than 19 months away one of the worrying factors highlighted by the Symantec report is how unprepared many UK businesses are. 96% of companies for example don’t understand GDPR and 91% don’t think they’ll be able to comply with it.
It seems also that UK businesses have also given GDPR a low priority despite its potentially serious impact. For example only 22% of companies have made complying with the European security demands a priority over the next two years.
What Does This Mean For Your Business?
The new UK Information Commissioner Elizabeth Denham has already stated publicly that she would support the UK adopting EU data protection laws, even after Brexit. The fact is that GDPR is likely to come into force before Brexit anyway, and whatever happens GDPR will apply to organisations anywhere in the world that hold and process data about EU citizens. This means that UK businesses that haven’t started already should make GDPR a much higher priority and make sure that they are prepared to be able to comply in time for May 2018.
In fact hardly any data will not fall under GDPR which means your business will need to become very familiar very quickly with GDPR it and its implications. GDPR will mean for example that:
- Your company will need to be clear about getting consent to use a person’s data for just the specified purpose and not regard silence or inactivity as consent.
- You may need to prepare to select a DPO for appointment, and your company may require a lot of training so that everyone understands basic compliance. This could mean that the kind of human error that could cause a data breach is minimised.
- Your data security policies may need to be changed and the changes promoted across the company. You will also have to develop highly effective systems for monitoring for any data breaches. There will also be the need to design compliance into all data handling and processing systems, and could mean starting the analysis and thought process now to ensure that you are ready for May 2018.
- You will have to develop effective systems that ensure fresh consent is gained before you alter the way you use data, and that all data on a subject can be easily and quickly deleted on request.
- If your company provides data processing services for anyone else’s personal data you will need to consider your liability and be compliant with the new EU regulations.