GDPR news: UK data watchdog opens GDPR helpline for SMBs
Designed to give people more control over their data, GDPR represents a challenge to organisations, who must bring their data protection policies into line with the regulation by the 2018 deadline. GDPR will compel organisations to secure clearer consent for using people’s information, and will introduce tougher fines for failing to protect people’s data. 03/11/2017: The Information Commissioner’s Office this week launched a helpline for SMBs preparing for the General Data Protection Regulation. The phone service, which opened on 1 November, is designed to address the specific data protection challenges facing the estimated 5.4 million SMBs operating in the UK. With staff on hand to answer questions, the service acts as an extra resource to the ICO’s existing guidance, with an emphasis on helping people with obstacles particular to their businesses. The ICO already offers firms of all sizes a 12-step guide to preparing for GDPR, which comes into effect in the UK from 25 May 2018, giving people more rights over their data, and imposing tougher fines on organisations that fail to protect it. 06/08/2017: One in five large UK businesses are completely in the dark when it comes to the application of GDPR in their organisation, according to new data. First, GDPR requires people’s consent for their data to be held and shared – consent that will have to be reaffirmed actively once the legislation comes into force in May. Second, EU residents have the right to access all the data held about them at any time and also to request their data is removed at any time. Both of these may be a challenge when so many systems are used and if the data is no longer in the full control of the initial data controller. Another issue raised by the survey is understanding data ownership – a key tenet of GDPR. Only 27% of those questioned thought personal data belonged to the customer, with 50% thinking it belongs to the organisation holding it. Chris Mayers, chief security officer at Citrix, said: “Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.” “Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However, it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance,” he added. The EU General Data Protection Regulation comes into force across the soon-to-be 27 nation bloc 25 May 2018, by which point any organisations handling EU residents’ data must be compliant or face tough fines for breaches, of up to 4% of their annual turnover or €20 million, whichever is greater. As a result, CIF has updated its Code of Practice for CSPs to ensure they’re compliant with the stricter data protection rules, which hand EU residents more control over their personal data and require organisations holding or processing the data to be transparent about what they’re using it for. Collaboration platform Box’s VP of compliance, Crispin Maung, told IT Pro earlier this year that data protection authorities “Are struggling with figuring out what GDPR compliance really means and how they are going to measure [it]”. Retailer John Lewis and bank HSBC both criticised the UK data protection authority’s guidance so far on GDPR compliance, calling it “Woolly”.
GDPR News Center – General Data Protection Regulation
“Article 4 of the GDPR will have a big impact on marketers,” says Van Uytven, before going on to quote article 4 of GDPR which defines how user consent for personal data usage must be given, which is, “By a statement or by a clear affirmative action, [signifying] agreement to personal data relating to them being processed.” Inbound marketing is a gigantic slice of the daily routine of a digital marketer, and GDPR is about to regulate it like never before. Countdown to GDPR. Here’s a brief refresher: The GDPR is an EU regulation meant to harmonize the patchwork of data protection laws in Europe. A Partnership of Responsibilities for GDPR. When it comes to GDPR compliance, Workday and our customers both have responsibilities: our customers as data controllers, and Workday as a data processor. To quote from the official GDPR FAQ page, “A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” Below we provide some highlights about the protections Workday provides in its role as the data processor, and the tools we offer our customers to meet their responsibilities as data controllers. Cross-border data flows: The GDPR continues to allow the flow of personal data across country borders, and includes provisions ensuring existing data transfer mechanisms remain valid going forward. In addition to Workday’s own compliance obligations under the GDPR as a processor of customers’ personal data, Workday also assists our customers in meeting their obligations under the GDPR in a variety of ways. The EU will implement the most dramatic law of its kind governing data in May. The General Data Protection Regulation will strengthen and unify data protection for all individuals within the EU. When it becomes effective, it will give control of personal data back to citizens and residents and simplify the regulatory environment for international business by unifying the regulation within the EU, replacing a data protection directive from 1995. The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. There are some truly revolutionary aspects of the GDPR- both from the perspective of the data user and the data provider or processor. The biggest change to the regulatory landscape of data privacy associated with the GDPR is its extended jurisdiction-it applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location. The GDPR will also apply to the processing of personal data in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens must also appoint a representative in the EU. The conditions for consent have been strengthened under the regime. Part of the expanded rights of data subjects outlined by the GDPR will also be their right to obtain from the data ‘controller’ confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Also known as Data Erasure, the “Right to be forgotten” entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The EU’s new General Data Protection Regulation is a set of rules that give consumers rights about how their data is stored, used, and deleted. With the May deadline for compliance edging ever closer, a vast majority of organizations believe that compliance with the upcoming General Data Protection Regulation would be difficult to achieve.