What is GDPR, and why does it matter for businesses?
Over the years, the internet has drastically changed the way we communicate and how we use it. We send emails, pay bills, share files, use social networks, and purchase goods by entering our personal details. But have you ever stopped to think about how much personal data you share online?
Organisations say that they collect this type of data so that they can serve you better, offer you more targeted and relevant communications and content. But, is that what they really use the data for? This is the question that has been asked by the EU, and they answered in 2018 with a privacy regulation named GDPR – something that changes the way businesses collect, store and use customer information.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation, often shortened to GDPR, is an international data protection legislation that was rolled out in May 2018. It was created by the European Union to bolster the rights of citizens, and set out clear rules on how individuals’ personal data can be gathered, processed and stored, making these rules consistent across countries.
The basic principles of GDPR are that data collection should be minimised as much as possible, and that any data which is collected should have a clear purpose. Any data which is collected should only be kept for as long as is necessary, and this whole process should be fully transparent. Customers and clients should be aware of what data is being collected, and have the option to access, view and remove their personal data at their own discretion, and in a timely manner.
The GDPR applies to all organisations which:
- Operate in the European Union (EU) or European Economic Area (EEA)
- Control, store or process personal data originating from the EU or EEA
- Are based or operate in countries that have otherwise instituted the GDPR as law (such as the United Kingdom)
Why does personal data need to be protected?
Many of us will willingly give away our data in order to make our lives a little bit easier. Whether it’s giving apps permission to use different parts of our phone, not reading the terms and conditions, or blindly clicking ‘Accept’ on websites, it’s common to see questions about data usage as a hindrance, rather than something to pay attention to. So why is it important to protect personal data?
- Many people simply object to the fact that other people have access to or collect their personal data without their knowledge.
- Personal data could be used to discriminate against people unfairly. This is why it’s essential to set out what personal data is used, and what it is used for.
- It’s important that people can control who has access to their personal details so they can maintain their privacy and avoid unsolicited communications.
- Your organisation’s reputation. To ensure that your customers and partners feel safe entrusting their personal data to you, it’s essential that you help protect the personal details of customers.
The fact that many people do not think about how their data is being collected and used does not mean that those things aren’t important. The reality is simply that many people are not conditioned to think about it, by virtue of access to data having been abused for so long. If more people knew how their data has been used in the past – not just for marketing and advertising purposes, but as a way to identify things like political affiliations and sexuality – they would likely be less cavalier.
This is something that GDPR has begun to achieve. The greater responsibility placed on businesses and organisations has created an obligation to inform customers about what data is being collected, and how it is being used. Together with high profile incidents such as the Cambridge Analytics scandal, this has started to make people more conscious about the data they give away, and what it is being used for, leading to people being more selective about the data they provide and the services they use – something that can have a direct impact on businesses.
The best ways to protect customer data
Protecting customer data isn’t just a matter of complying with regulations. Ensuring that data is securely and efficiently stored will ensure that it is safe from illegal access, and organised in such a way that it can be easily managed when needed, making your business more efficient.
Achieving this means putting simple processes in place to capture and store the data securely, but also organising it correctly, rather than having to go back and reorganise or reformat it. Measures that you should be putting in place to protect customer data include:
- Email etiquette – Confidential and personal data can easily become exposed through emails without any malicious intent being involved. Staff should be trained to never send passwords over email or ask for sensitive information via email, such as when collecting data or confirming a customer’s identity. Similar principles may apply to communication tools such as Slack, or customer support tools such as web chat and help desks.
- Passwords – Almost every service, app and device is protected with passwords. Passwords, however, provide little protection from cyber criminals if they are not created properly and used securely. Multi-factor authentication (MFA) should be implemented for any user accounts on your website, and password data should be collected using secure protocols, and stored in a hashed format.
- Organisation – Under GDPR, companies are required to respond quickly to customer data requests, including modifying or deleting data. This may necessitate the use of secure databases or other centralised methods of data storage, whereby data is neatly catalogued and easily accessible by relevant personnel, while also being secured by MFA.
- Responsible person – Managing customer data in line with your obligations under GDPR may require you to hire or assign a dedicated Data Protection Officer (DPO). This person will take responsibility for monitoring GDPR compliance, and act as a point of contact for any customer or client questions regarding their data.
We hope that this advice helps you to better understand your obligations under GDPR, and how to keep customer data safe. If you have any questions about GDPR regulations, data protection, password security or MFA, don’t hesitate to get in touch with Sota today.