The General Data Protection Regulation (GDPR) is a reform of the current data protection rules. It is currently being written into UK law and will apply to all organisations who hold personal data from 25 May 2018.

The term ‘Personal data’ is given quite a broad definition by the Information Commissioner’s Office (ICO) and has been relevant since the Data Protection Act (1998).

The GDPR builds on the DPA and is intended to increase the protection of EU citizen data, and with it the powers of enforcement wielded by the ICO have been substantially increased.

Penalties for non-compliance will be “effective, proportionate and dissuasive” and this can include administrative fines, corrective measures and compensation. This can translate to headline grabbing fines such as the greater of €20 million or 4% annual turnover, but one should also consider the reputational damage that would likely result from the publication of a breach.

Depending on the degree of alignment with the current data protection rules, achieving compliance will take time and money, but if managed correctly there are steps that present opportunities and can be linked to other business objectives that provide a return on investment.

Data Controllers and Data Processors

Within data protection regulations, the terms ‘Data Controller’ and ‘Data Processor’ are extensively used, and the responsibilities and obligations differ for each. A person or organisation who decides what personal data will be stored and what to do with it is a Data Controller, and those that process the data on behalf of the Data Controller are Data Processors.

In the context of the relationship between Cubic Interactive and our customers, we are the Data Processor and you are the Data Controller. The products we provide are used to process the data that you control, and due to the nature of our products, you can choose what kind of data that includes.

Of course, Cubic Interactive is also a Data Controller for our own purposes (and have our own Data Processor relationships), so we know what kind of challenges you face.

The current Data Protection Act (1998) requires every data controller to register with the Information Commissioner’s Office (ICO), unless they are exempt. The GDPR takes this further and requires certain organisations to assign a Data Protection Officer (DPO) as a named person registered with the ICO. The ICO website provides guidance on whether registration is required.

Please note that the registration fees payable to the ICO are set to increase this year, so you should look into this well in advance of 25th May 2018.

What is Cubic Interactive doing about it?

Cubic Interactive have already taken positive steps to becoming GDPR aligned, and this includes:

• Significant investment in ongoing advisory services.
• Production of a proactive, non-mandatory Data Protection Impact Assessment (DPIA).
• Commitment to add features/functionality to help you, the controller, meet your obligations. 
  

Data Protection Impact Assessments are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.

What have we looked at as part of the DPIA?

• Personal data being processed
• Purpose of processing
• Business processes and activities executed by processing personal data
• Supporting assets
• Operational considerations
• Stakeholders
• Information flow
  

We have already published a Customer Summary of the early output from the DPIA and are now working our way through detailed risk assessments and risk treatment plans are part of this process.

The Customer Summary document has been sent to contacts at all our existing clients but please ask your account manager if you didn’t get a copy.

We’ve been looking at all the areas within the system that do or may contain personal data and are coming up with ways to help data controllers adhere to the rights of data subjects.

On the cards are things like:

• A new section on the Contact module to track consent and data access/deletion requests.
• Facilities to support personal data being removed or anonymised without impacting on associated data such as labour costs and audit trails etc.
• Mechanisms to show the age of data subjects requests.
• The ability to flag any record as containing personal data.

The GDPR defines whether an organisation needs to carry out a DPIA. You may already have taken steps to meet your GDPR obligations, but in addition to using GDPR aligned data processors, here are some things for you to think about:

• How personal data is collected and the related source
• For what purpose is personal data collected
• How will personal data be processed
• Personal data retention and disposal policy
• How personal data will be managed and modified
• How will personal data processors and application developers protect personal data
• Identify any personal data transferred outside the European Union (EU).
  

If you haven’t started your GDPR journey, please refer to the ICO’s 12 Steps to Take Now guidance.

For more information on GDPR (and the current DPA) go to ico.org.uk.

Keep checking the Cubic Interactive website for updates on our GDPR journey.