The new General Data Protection Regulation (GDPR) legislation is a reaction to advances in technology and the increasing threat of cyber attacks, and replaces the 1995 EU Data Protection Directive to increase the level of protection required for consumer data storage. An emphasis of this new legislation is putting control into the hands of the consumer – removing the option of ‘opt-out’ consent and ensuring that users explicitly consent to their data being stored and used by organisations. With failure to comply resulting in fines of €20m or 4% of annual turnover , whichever is higher, the onus is on businesses to document their data protection processes and incorporate ‘privacy by design’ into the architecture of their organisation.
If your business holds Personally Identifiable Information (PII), which can include data ranging from names and contact details to IP addresses and GPS data, you must register with the Information Commissioner’s Office ICO. This does not change based on from where the world the business is operating or holding the data. All businesses that hold data from European residents are required to be compliant with the new GDPR. In order to determine whether your organisation’s activities will be affected by the new GDPR you will need to consider the territories that are covered by your company.
Data flow must be monitored every step of the way in order to remain compliant with the GDPR. Native cloud services that are built on Amazon Web Services (AWS) infrastructure, such as Dubber, will benefit from AWS security expertise. AWS provide a Data Processing Agreement (DPA) that states that they will meet the requirements of the GDPR. Their teams of compliance, data protection, and security specialists work to ensure that their customers across Europe are fully prepared for the new regulations.
A brief history of data protection regulation from IAPP
In order to meet the requirements of the new GDPR, companies must appoint a Data Protection Officer (DPO) who will manage all aspects of compliance. They will need to manage data subject rights, and notify the data protection authorities about any data breaches. In some cases companies will be required to create their own DPAs, particularly if personal data is transferred outside the European Economic Area. Organisations may also need to file a Data Protection Impact Assessment (DPIA) with the supervisory authority for accountability.
With the requirement that consumers have the right to personal data erasure, organisations must store data in a consistent system. Employing a storage solution that is easily searchable will allow businesses to locate data efficiently and delete it promptly when requested. Companies have only one month to comply with customer requests under GDPR.
Data should also not be kept for longer than necessary. This echoes other financial services regulations such as MiFID II that require records to be kept for only five years. Choosing a solution, such as Dubber, that can delete call records after five years will ensure that no out-of-date and potentially inaccurate data is held. A solution built on cloud infrastructure offers an adaptable and scalable solution to allow organisations to remain compliant as their companies grow and reach new territories, and gives blanket reassurance across a multitude of regulatory requirements.
A key outcome of GDPR will be data protection becoming a point of differentiation for companies. Consumers will actively seek out institutions that they can trust with their valuable personal data. Those that invest in compliance solutions that can keep data securely stored as a company grows will differentiate themselves from others in the market who have not kept up to date with changing attitudes. These companies will not only benefit from increased market share, but from a growing store of valuable data that they can mine for information.