With GDPR fast approaching most organisations have finally decided to get their (data) house in order and make some drastic changes in terms of how, where and why their personal data storage and usage is structured. It’s clear that the impending changes to GDPR in May 2018 will be more strictly enforced than ever before, and defining what should and shouldn’t be done is key to implementing a proactive plan as soon as possible. These new regulations will introduce fresh processes for dealing with sensitive personal data collected from your clients and partners, meaning if unprepared for the change, your company could see itself facing issues like SARs (Subject Access Requests) – based on what personal data you have, how you store that data, and what you use it for. One of the main issues expected to arise for unprepared establishments, are those surrounding explicit consent. From early next year, GDPR will ensure companies will be required by law to provide a clear explanation of the processing to which subjects are providing explicit consent. It will also need to be of a clearly voluntary and “opt-in” nature, with the possibility to unsubscribe or purge personal data and explicit consent easily, should the subject choose to do so at any time. Gone are the days when silence or inactivity were good enough to collect consent (e.g., pre‑ticked boxes do not constitute valid consent). That’s where the legacy data conundrum comes in, making the upcoming changes in GDPR a little more confusing. Legacy data – what is it? Legacy data can be described as information or personal data which has been stored in an old or obsolete format or computer system that is, therefore, difficult to access or process when required. Once this data is moved over to a new system and set of processes, it’s still legacy data, and will need to be treated in a very specific way. The question on everyone’s lips is: ‘What will happen to the personal data your company has collected under pre-existing data protection laws once GDPR and explicit consent is fully enforced?’ Legacy data – what needs to be done With most information being foggy around the usability and maintenance of legacy data post-GDPR enforcement, some things are very clear. It’s not a safe bet to rely on leniency over legacy data and explicit consent issues. When asked about whether or not we can still use legacy data that has been collected in line with past legislation, Steve Wood, the UK’s Information Commissioner’s Office Head of International Strategy and Intelligence recently commented at an IAPP event: “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” He continued: “What you will see is a common-sense, pragmatic approach to regulatory principles.” Keeping that in mind, the only logical approach is to adopt a strategy for re-consenting and re-permissioning before the deadline hits. All old personal data will have been collected in a way that will become obsolete as of May 2018, and no grandfathering privileges will be observed for legacy data in the aftermath. Legacy data & email marketing On the topic of legacy data and direct email marketing – things can be approached a little differently. For current customers and email subscribers you will need to be ready to supply proof of an existing customer relationship and provable subscriber consent. For lapsed customers and inactive email subscribers you will not be allowed to use their personal data any longer and will need to delete unnecessary information and roll-up into reporting data. If you have active subscribers on your email lists but do not hold provable explicit consent, it may be possible that this activity in itself can constitute as proof of a current existing customer relationship. You’ll need to prove the value of the content you are delivering and its functionality as a stand alone service. You’ll also need to prepare for a case around the perceived loss that would be suffered should the deliveries cease. A solution to legacy data uncertainty We recommend avoiding the hassle and availing of a service within our platform whereby you can ingest your legacy databases and batch email all legacy data subjects to requests fresh explicit consent in one click. From there you have an audit-able log of data subjects who to consent to your term and those who have rescinded consent. You can set rules to automatically purge non responders from your database. With PlanetVerify you can manage, verify and store your customers personal data from one dashboard. Collect all new personal data through the same systems going forward. Free up your time for Q1 of 2018, forget about GDPR compliance, and shrug off SARs stress.
What is ‘Privacy by Design’? The concept of privacy by design is a recently developed approach which places privacy and data compliance at the forefront of business objectives and projects. This approach sees the implementation of such priorities from the beginning of all processes, keeping strategies safe and protected from data breaches, and EU data protection regulations – like the impending GDPR updates, due to be implemented in May 2018. Privacy by design approaches offer protection from the inception of your projects rather than an addition later in the process, when it is most needed. This allows for a secure and solid launch without the need to implement privacy measures later in the process. The PbD framework has seven foundational principles: Privacy must be proactive, not reactive, and must anticipate privacy issues before they reach the user. Privacy must be the default setting for users. They should not have to take actions to secure their privacy, and consent for data sharing should not be assumed. Privacy must be ingrained into the design. Privacy must be positive sum and should avoid dichotomies. Privacy must offer end-to-end lifecycle protection of user data. This means engaging in proper data collection, storage, and deletion. Privacy standards must be visible, transparent, open, documented and independently verifiable. Your processes for data management must stand up to external scrutiny. Privacy must be user-centric. This means that the user should be provided with accurate and transparent information and your system should have user friendly tools to access this information. It is important to remember that privacy by design is not about data protection but being proactive about designing, so that all data held does not need external protection later down the line. Why is Privacy by Design important now? In Europe the data protection regulation has undergone a complete overhaul. These new rules known as the General Data Protection Regulation (GDPR) become legally enforceable on 25 May 2018. This means that your business should already be working on ensuring it is GDPR compliant. It is crucial to consider privacy by design as a proactive measure rather than a reactive one as under the new GDPR guidelines organizations will have to document their PbD development processes. This documentation must be made available to the European regulatory authority in the event of a data breach or complaint from a consumer. European data protection and privacy laws are extraterritorial.They apply to people within Europe whom the data is collected about regardless of where the service is provided from. In fact, if you offer your product for European customers, you must comply with EU data protection for these consumers even if your organization is not physically located in Europe. PlanetVerify’s Privacy by Design Our application allows the storing of documentation on your devices in a secure encrypted format. It also allows for ultra secure documentation transmission should it be requested through a Subject Access Request (SAR) or similar. We enable companies to build ‘privacy by design’ into their data protection policies from as early on as possible. With our automated ‘collect’ and ‘destroy’ methods, we ensure complete discretion and security are offered to all users. Privacy control practices prevent data leakage. This eliminates the possibility of intentional or planned attempts of privacy breaches to take place. These privacy control practices prevent personal data being downloaded, forwarded on or printed – a common issue and cause for data protection breaches for companies using email hosts to transmit sensitive private data between parties. Our platform enables companies to enforce data privacy controls that are stronger, simpler to implement, harder to by-pass, and completely embedded into a system’s core functionality for a holistic privacy control approach at the forefront of any company. Privacy by Design, Now Is the Time Collection, storage, verification and compliance with the GDPR and all other data protection rules and regulations is made easiest with a privacy by design approach. Creating an infrastructure to collect, manage and monitor your client or customers personal data in real time has never been so integral to the core functionality of companies as it is today. Using services like PlanetVerify to achieve these goals will position you as a safe, fortified and trustworthy company and do away with later stresses of dealing with any unwanted data protection breaches, or SARs your company might be unprepared for. Implement privacy by design and centralise your data privacy protection measures in real time.