Data - The new regulations extend the meaning of personally identifiable data to include computer IDs and any other mechanism that could be used to track an individual user. The existing distinction between B2B and B2C users are to be dropped, all must be treated the same.
Control - Users will have more control over their personal information. It should be easy for them to change, view and remove information. Customers will have the right to port their data from one supplier to another and they will also have the right to be forgotten, which requires companies to completely delete people's personal data. Currently, some organisations charge users to access the information they hold on them, the new law means your users can access their information free of charge.
Consent - You will be required to always gain consent to store user information into your systems. From next year everyone will require a positive opt in. You cannot offer them a pre-ticked box or an option to Opt Out etc, you must also obtain specific consent for all channels and usages you intend to use in relation to their data.
All consents you receive will need be recorded adequately as you will be required to provide proof that consent was given. You need to consider date, mechanism and scope for all consent records. Customers will have the right to opt out of any of the consents they give, including being profiled according to their interests and behaviour, unless they have previously consented to it or it is required as part of your terms and conditions.
Inform - You are required to inform users of everything that will happen to their data. As well as this, you must inform your customers if your company or any subcontractor suffers a security breach and if your user records have been hacked.
When will I need to start making changes?
It is recommended that you start implementing changes needed to comply with GDPR as early as today. It is entirely likely that your current user records do not comply with the requirements of GDPR and after May next year you will be breaking the law if you use them. All your records need to have GDPR compliant consents in place before May 2018.
You cannot use your records to ask for consent after May 2018 because you will not have consent to use the records, for any purpose. Even owning and storing the records will technically be illegal. To get the consent you require you must do so before May 2018 and to the standard required by the GDPR.
A useful guide is available from the Information Commissioner's Office together with more detailed information.
What are 101 doing?
Like every business, 101 is working to review our internal policies and processes to ensure our compliance with the obligations of the GDPR in advance of 25 May 2018.
At this time, we are unable to give any specific details as to the precise steps that we are taking. This is because all of our relevant policies, processes and systems are undergoing review. Further, guidance on the GDPR is still being formulated and reviewed by various bodies (the ICO and the Article 29 working party, for instance). All of this makes it impossible for us or any business to be able to provide specific guidance as to the outcome of our reviews at this stage.
That said, we are undertaking a privacy impact assessment in addition to conducting a full technical review of our services and can reiterate that 101 will be fully GDPR-compliant before the effective date of 25 May 2018. We will continue to comply with all current data protection legislation and we will update all clients as necessary once we have confirmed the steps required to comply with the GDPR.
By Roger Sutton