A new regulation governing data protection across the European Union came into force on 25th May 2018. It’s called the General Data Protection Regulation (GDPR) and required all businesses and organisations that handle personal data to enhance the way they store, manage and use that information.
At Teletrac Navman, we have a dedicated team working to ensure the systems and processes that go into the services our customers use are GDPR ready. We are also committed to helping our customers use our services in a compliant way.
GDPR was introduced for two main reasons. Firstly, current regulations were out of date due to advances in technology. For example, data being stored in the cloud or the way that social media platforms exchange our data in order that we can use their services. When the previous data protection law was drafted, this kind of technology didn’t even exist.
The second reason was about providing a level playing field. Under GDPR, data protection laws are now the same across Europe. All businesses must work in the same way and all individuals get the same level of protection.
However, even though GDPR has been in force since 2018, there has been a lot of headline grabbing media coverage about GDPR and how it will cause huge problems for companies. With potential fines of €20 million or 4% of your global annual turnover for not adhering to the regulations, the headlines write themselves.
Teletrac Navman has been working diligently on GDPR for over 18 months prior to 25th May 2018 We dedicated the time, resource, external expertise and custom tools necessary for our business to achieve compliance with the GDPR’s enhanced privacy requirements. For example:
We work with external legal advisors and use a specialist software provider for record keeping and self-certification.
Part of our approach is to identify where our current processes require enhancement and close the gaps we find. Amendments with third party contracts have been completed, auditing procedures were finalised, and policies, templates, and continuous improvement processes have been implemented.
Annual external penetration testing by a specialist company, backed up by regular internal penetration testing by our Global IT group, and Cyber Essential certification have been in place for some time, as has two-factor authentication ‘opt-in’.
Our team also addressed issues such as additional enhanced measures relating to encryption, security access, the use of cookies, password enhancement, data retention strategy, and business/private GDPR compliance in the spirit of continuous improvement.
What is data protection?
Data protection ensures that any organisation which handles or “processes” personal data uses it fairly, transparently, and lawfully. Basically data protection is about making sure a person has knowledge and control over their personal data.
What is personal data?
Personal data is something that can be used to identify an individual. Obvious things like names, email addresses and phone numbers are examples. But it also includes less obvious identifiers like some unique identification codes, mobile device IDs, and geolocation information.
What is data processing?
Data processing means doing pretty much anything with personal data. Whether you are collecting, recording, deleting, or even storing or holding personal data, you are “processing” that information. The important thing to note is that you need to have a legally valid reason to carry out the processing of that data.
Is it true that if data is lost or hacked (also known as a data breach) the ICO must be informed within 72 hours?
Yes, but not always. Data breaches need to be reported when they are likely to result in a risk to peoples’ rights and freedoms. In plain English that means the ICO will want to be informed if the lost/stolen data can cause a person damage, in particular discrimination, identity theft or fraud, financial loss, damage to reputation, or loss of confidentiality.
If this is European Law, will it apply to the UK when it goes live in May and will it still apply after Brexit?
Yes on both accounts. Because the UK will still be part of the European Union in May when the GDPR comes online, all UK businesses will be subject to it. And regardless of what Brexit eventually looks like, UK companies will surely continue to do business in Europe and hold data on European individuals, meaning the GDPR will continue to apply to the personal data held about European Individuals. In fact, it doesn’t matter where you are in the world, if you process the personal data of European Individuals you need to abide by GDPR.
Will I still be able to communicate with my customers? I’ve heard we have to delete all our contacts…
Yes, you will still be able to communicate with your customers. GDPR simply requires that you have a legally valid reason to do so. Informing customers about delivery slots or telling them about service updates are good examples of compliant communications with your customers. Other types of customer communications like marketing need to consider the legal reason behind the communication and whether it is something the customer should fairly expect to receive from you given the nature of your business relationship.
Our products are designed for compliant use under current data protection laws and the GDPR, and we stand ready to support you as you assess whether the setting or functions you rely on today need to be adjusted to comply. We recommend this type of assessment in order to ensure a compliant, uninterrupted use of the products you depend on today.
One approach is to carry out a Privacy Impact Assessment (PIA). A PIA is a structured way to analyse how personally identifiable information is collected, used, shared and maintained. It offers a very useful way to identify any high-risk areas that might need further consideration to ensure you are GDPR compliant. There are plenty of tools and templates available online to guide you through this process.
Now the fines are so high, is this just a government money-making exercise?
No. The Information Commissioner’s Office (ICO), who is responsible for enforcing GDPR in the UK, has published a blog that makes it very clear that they are not using GDPR as an excuse to issue massive fines. The ICO does not receive any portion of the fines it issues today.
Next Steps
GDPR is not to be feared. It is certainly a step up from the previous legislation, but for responsible businesses it is a matter of evolving existing processes in order to reach compliance.
We hope this information was helpful to you. We recommend everyone takes some time to learn more about the laws. The ICO has published a number of guides and checklists, all freely available on its website. There is also no substitute to seeking independent legal advice specific to your business especially when performing your Privacy Impact Assessments or determining what readiness steps are appropriate for your operations.