With the General Data Protection Regulation (GDPR) coming into force from 25 May 2018, organisations are left with little time to take action to comply with the European Union (EU) regulation. In this blog post, we have outlined the impact of GDPR and its effect on the telecoms sector.
What is GDPR?
The General Data Protection Regulation (GDPR) serves to replace obsolete laws set out in the Data Protection Act (DPA) 1998, modernising the ways in which organisations manage data. As the world of technology has advanced significantly since 1998, the new regulations aim to ensure that the digital marketplace is more secure for consumers, making the issue of cyber related risks and data security more pressing for businesses. What are the main concerns with customers’ data?
The new rules return users with the right to decide on their own private data, meaning that businesses that have accessed users’ data for specific purposes will not be allowed to collect the data without the user being asked: users will have to give consent for their data to be used.
How will it affect the telecommunications sector?
Given the above concerns, customer-facing companies will be affected the most by the new regulations. With most telecommunications companies storing valuable data on their customers, GDPR will significantly affect the sector. The new regulations will dictate that telecommunications companies should ensure data portability. This means that they should be able to provide consumers with a copy of their personal data in an electronic, structured format. Therefore, keeping track of data in a coherent and usable manner will be essential.
Why is personal data so pertinent with telecommunications?
The telecommunications sector has seen huge advancements in technology in recent years, and our mobile phones have effectively become small computers. Mobile apps, online retail and new industries have exploded, entirely based on the use of our personal data. Interestingly, the rules and regulations are coming in to force partly in response to nine out of 10 Europeans expressing concern about mobile apps collecting their data without their consent. Further, seven out of 10 worry about the potential use that companies may make of the information disclosed.
GDPR’s introduction of ‘data protection by design and by default’, means that it will be imperative for safeguards to be built into products and services in the early development stages, and privacy-friendly default settings will be standardised, for example on social media networks or mobile apps.
What about a specific example?
As already mentioned, GDPR will affect mobile apps that collect data from their users. An example of this may be fitness applications, where users provide details about their dietary and exercise habits. Such companies and applications will have to be explicit in explaining how this data is used, and provide notice when it is used by third-party applications.
What are the penalties for inadequate data protection measures?
Organisations that are not compliant and violate certain regulations could be hit with hefty fines as a result - €20 million or four per cent of annual global turnover. When deciding upon an appropriate fine, each case will be assessed, taking in to account a range of factors including:
- the gravity/duration of the violation;
- the number of data subjects affected and level of damage suffered by them;
- the intentional character of the infringement;
- any actions taken to mitigate the damage;
- the degree of co-operation with the supervisory authority.
What should your business do?
Ultimately, any telecoms business that directly deals with the personal data of EU citizens will be affected by the GDPR. If your business hasn’t already done so, it is imperative to identify potential breaches, so that risks are assessed and a strategy is implemented prior to 25 May 2018.
Businesses will have to update consent agreements with customers, to ensure they are complying with the new regulation. Further, businesses should be aware that under Article 37 of the GDPR, controllers and processors of personal information require a designated data protection; firms handling significant amounts of sensitive data, or undertaking the monitoring of many consumers, will be required to take such action. Ultimately, organisations should get advice and act now to ensure they are up-to-date with what is required under the new data protection regulations.
Having a sufficient IT infrastructure is a fundamental component to any organisation that wants to function efficiently and effectively in this economic market.
The UK has recently opened its new National Cyber Security Centre, which is part of a £1.9bn five-year strategy by the UK government to tackle cyber crime.