A new regulation governing data protection across the European Union came into force on 25th May 2018. It’s called the General Data Protection Regulation (GDPR) and requires all businesses and organisations that handle personal data to enhance the way they store, manage and use that information.
At Teletrac Navman we have a dedicated team working to ensure the systems and processes that go into the services our customers use are GDPR ready. We are also committed to helping our customers use our services in a compliant way.
GDPR is being introduced for two main reasons. Firstly, current regulations are out of date thanks to advances in technology. For example, data being stored in the cloud or the way that social media platforms exchange our data in order that we can use their services. When the previous data protection law was drafted, this kind of technology didn’t even exist.
The second reason is about providing a level playing field. Under GDPR, data protection laws will be the same across Europe. All businesses must work in the same way and all individuals get the same level of protection.
There has been a lot of headline grabbing media coverage about GDPR and how it will cause huge problems for companies. With potential fines of €20 million or 4% of your global annual turnover for not adhering to the regulations, the headlines write themselves.
Teletrac Navman has been working diligently on GDPR for over 18 months. We have dedicated the time, resource, internal and external expertise and custom tools necessary for our business to achieve compliance with the GDPR’s enhanced privacy requirements. For example:
Alongside our internal team, we are working with external legal advisors and use a specialist software provider for record keeping and self-certification.
Part of our approach is to identify where our current processes require enhancement and close the gaps we find. Amendments with third party contracts are being completed, auditing procedures are being finalised, and policies, templates, and continuous improvement processes are being implemented.
Annual external penetration testing by a specialist company, backed up by regular internal penetration testing by our Global IT group, and Cyber Essential certification have been in place for some time, as has two-factor authentication ‘opt-in’.
Data protection ensures that any organisation which handles or “processes” personal data uses it fairly, transparently, and lawfully. Basically data protection is about making sure a person has knowledge and control over their personal data.
Personal data is something that can be used to identify an individual. Obvious things like names, email addresses and phone numbers are examples. But it also includes less obvious identifiers like some unique identification codes, mobile device IDs, and geolocation information.
Data processing means doing pretty much anything with personal data. Whether you are collecting, recording, deleting, or even storing or holding personal data, you are “processing” that information. The important thing to note is that you need to have a legally valid reason to carry out the processing of that data.
Yes, but not always. Data breaches need to be reported when they are likely to result in a risk to peoples’ rights and freedoms. In plain English that means the ICO will want to be informed if the lost/stolen data can cause a person damage, in particular discrimination, identity theft or fraud, financial loss, damage to reputation, or loss of confidentiality.
Yes on both accounts. Because the UK will still be part of the European Union in May when the GDPR comes online, all UK businesses will be subject to it. And regardless of what Brexit eventually looks like, UK companies will surely continue to do business in Europe and hold data on European individuals, meaning the GDPR will continue to apply to the personal data held about European Individuals. In fact, it doesn’t matter where you are in the world, if you process the personal data of European Individuals you need to abide by GDPR.
Yes, you will still be able to communicate with your customers. GDPR simply requires that you have a legally valid reason to do so. Informing customers about delivery slots or telling them about service updates are good examples of compliant communications with your customers. Other types of customer communications like marketing need to consider the legal reason behind the communication and whether it is something the customer should fairly expect to receive from you given the nature of your business relationship.
Our products are designed for compliant use under current data protection laws and the GDPR, and we stand ready to support you as you assess whether the setting or functions you rely on today need to be adjusted in preparation for the GDPR. We recommend this type of assessment in order to ensure a compliant, uninterrupted use of the products you depend on today.
One approach is to carry out a Privacy Impact Assessment (PIA). A PIA is a structured way to analyse how personally identifiable information is collected, used, shared and maintained. It offers a very useful way to identify any high-risk areas that might need further consideration to ensure you are GDPR compliant. There are plenty of tools and templates available online to guide you through this process.
No. The Information Commissioner’s Office (ICO), who is responsible for enforcing GDPR in the UK, has published a blog that makes it very clear that they are not using GDPR as an excuse to issue massive fines. The ICO does not receive any portion of the fines it issues today.
GDPR is not to be feared. It is something to prepare for. It is certainly a step up from the previous legislation, but for responsible businesses it should be a matter of evolving existing processes in order to reach compliance.
We hope this information was helpful to you. We recommend everyone takes some time to learn more about the new laws. The ICO has published a number of guides and checklists, all freely available on its website. There is also no substitute to seeking independent legal advice specific to your business especially when performing your Privacy Impact Assessments or determining what readiness steps are appropriate for your operations.