As the way we process data develops and organisations become increasingly international, the rules and regulations surrounding data protection must also adapt to keep up to date with new technology and methods. That’s why, in 2012, the European Commission proposed a new General Data Protection Regulation (GDPR) to unify data protection laws across the European Union.
Approved in 2016 by the European Parliament and set to come into action from early 2018, GDPR will override national laws and include new and more detailed protection legislation for personal data. But with Brexit on the horizon, will UK companies have to comply with these new regulations? Here’s everything you need to know…
What is GDPR?
GDPR is a new set of data protection principles designed to unify data protection law and to enable an easier flow of data across the EU. The new legislation is very similar to our own Data Protection Act but includes more detail to cover changes in technology, as well as new accountability requirements for data controllers and processors.
Much like the DPA, the new legislation concentrates on ensuring data is processed lawfully and fairly; is only collected for legitimate reasons; is limited to taking only what is necessary; and is protected by documented and verifiable security measures.
However, GDPR also covers new rights for individuals (such as the right to be informed of breaches, right of erasure, right of consent, and new children’s rights), while also focusing on policy transparency and safety for data transfers.
Here are some of the key changes:
- Transparency recommendations that used to be considered ‘good practice’ under ICO and PCI DSS regulations (for example, privacy impact assessments) will now become legal requirements.
- If the processing of data requires consent from an individual, this consent will now have to be documented and verifiable.
- If a breach is detected that puts a customer’s data, freedom and rights at risk, companies will now be required to notify the relevant security authorities as well as the individual themselves in severe cases (such as any compromise of personal information that could lead to identity fraud or theft).
- New laws on safeguarding the transfer of data to countries outside the EU.
- More detailed legislation on what constitutes ‘personal data’ to reflect developments in technology. For example, an IP address is now considered to be an identifier and will be covered by GDPR. Legislation will also now cover both automated personal data and manual filing systems, unlike the DPA.
- More legal liability and accountability for both data processors and controllers in the event of a breach.
- Organisations will now be required to demonstrate how they comply with GDPR; for example, by providing documented examples of decision making and policies.
Who Will GDPR Apply to?
The new GDPR legislation will apply to any data controllers and processors operating within the EU or who deal with customers who are EU citizens. The definitions of controller and processor are much the same as with the DPA, i.e. the individual or organisation who makes decisions on how and why data is processed, and the individual or organisation who processes that data on behalf of the controller, respectively.
Will GDPR Still Apply to UK Contact Centres After Brexit?
With the UK’s exit from the EU still undefined, it is unclear to what extent UK contact centres will have to comply with the new rules. However, if your contact centre operates internationally or handles transactions from EU citizens then your company will be subject to GDPR compliance.
Why and How Should Contact Centres Be Preparing for GDPR?
For contact centres who do fall under GDPR, a failure to comply means risking far stricter new penalties. Both controllers and processors will now be held much more accountable and legally liable for any breaches that occur in their systems, while organisations who undergo a breach and are found to be non-compliant can face fines of 4% of their annual global turnover or up to €20 million (whichever is greater) – a penalty which could lead to bankruptcy or closure.
The good news is that GDPR is similar enough to the DPA that, if you’re already DPA-compliant, there’s a good chance you’ll be GDPR-compliant too. To avoid unnecessary risk however, it’s a good idea to take this as an opportunity to review and assess your data protection policies and systems.
How to ensure your contact centre is as accountable and transparent as possible:
- step up network security monitoring;
- ensure security systems are up-to-date and frequently tested;
- limit unnecessary staff access to sensitive data;
- limit unnecessary data retention;
- carry out the new mandatory privacy risk assessments;
- make sure your security policies and decisions are clear and documented;
- and ensure you’re able to provide auditable data impact assessments if necessary.
Even if your contact centre does not operate within the EU, international data protection consistency is beneficial to the industry as a whole. The new GDPR legislation is designed to protect data in a way that is up-to-date with new tech, so compliance is likely to be advantageous for both you and your customers.
Do you have a question about GDPR that our guide hasn’t answered? Please get in touch with one of our expert data security consultants today and we’ll be happy to advise.