Beat the Burden of GDPR: Reducing the Obligations for Data Controllers

MPP Global Posted by MPP Global on Tuesday, 30 January 2018

The General Data Protection Regulation (GDPR) is to replace the 1995 EU directive on data protection, with all ‘Data Controllers’ requiring a legal basis to process data by 25th May 2018. The regulation is set to impact businesses globally and technology vendors processing EU citizens’ data, with strict guidelines and major financial penalties.

Experts at MPP Global have broken down this new legislation, to advise how your business can become GDPR compliant and how eSuite can ease the burden.

Why is this regulation being implemented?  

An Accenture report revealed that 87% of people believed adequate safeguards were not in place to protect their personal information. In addition, 70% thought businesses are not transparent about how their information is being used.

Data must be adequately protected and encrypted. Software vulnerabilities and poor security have jeopardised the personal information of millions time and time again over the past decade. An example includes the data breach of Bupa in July 2017, affecting 500,000 customers on its international health insurance plan.Accenture report on GDPR

MPP Global’s pick of the key changes: how could GDPR affect your business?  

Dual Accountability

GDPR increases the liability and accountability for data controllers, like our clients, as well as data processors such as ourselves. There is a joint responsibility and both controllers and processors must evaluate processes, procedures and clearly demonstrate compliance. 

Explicit opt-in consent from data subjects must be obtained; you must offer the right to be forgotten or the right to withdraw consent at any time. The withdrawal mechanisms must be as easy to navigate as it was to give consent. 

This is particularly important for marketers, who will not be able to send out mass campaigns without first obtaining complicit consent, for example, by using an opt-in checkbox. 

Data Record Visibility 

Maintain clear records of all personal data categories to show that complicit consent was given and prove what exactly the individual has consented to. 

Global Liability  

GDPR applies to all companies who are offering services to customers within the EU. For example, a US company selling newspapers in the EU must comply. The regulations are therefore applicable to global organisations who operate and process personal EU citizen data in or outside the EU. 

Data Transfer Restrictions 

Similarly, transferring personal data outside of the EU is prohibited and privacy risk assessments must be conducted when projects involve personal data. 

Potential Fines  

Ultimately, the Data Protection Commission can sanction potential fines of up to €20m or 4% of global annual company turnover if standards are not adhered to. 

Ensure a smooth transition with eSuite: how eSuite reduces GDPR obligations 

As a data processor, MPP Global and eSuite meet GDPR requirements and maintain full commitment to data protection and maximum security, reducing your obligations. We recommend appointing a Data Protection Officer (DPO), who can liaise with our in-house subject matter expert in preparation for data protection impact assessments (DPIAs). 

MPP Global is PCI-DSS Level 1 Compliant  

With an existing framework built on PCI-DSS Level 1 compliance, MPP Global has leveraged existing processes and functionality to adhere to GDPR requirements and treat personally identifiable information (PII) with the same stringent security measures as payment data.  

Therefore, using an industry-leading solution such as eSuite could drastically reduce your PCI and Data Protection obligations, reducing the CAPEX required to gain compliance and the OPEX to maintain compliance.  

Rich Role-Based User Permissions 

eSuite’s role-based functionality enables clients to apply tiered level access to different members of the team, enabling the DPO to easily lock down or limit access to PII across the entire platform, including exportable information.

Advanced Reporting and Data Exports 

GDPR requires clear processes to view and export data. Reports that contain PII will be transferred securely, server-to-server, to an approved list validated by the clients’ DPO to those with sufficient permissions.

Clear Data Record Visibility and Encryption

eSuite maintains clear records of all personal data categories to show when and how data consent was given and ensures all PII is encrypted to those without sufficient permissions. eSuite also uses two-factor authentication (2FA) as an additional security measure to verify users.

Reduced Cost and Resource

MPP Global is a fully PCI and GDPR compliant vendor and a single source for your data protection needs, reducing CAPEX and OPEX incurred in trying to gain and maintain compliance, including a highly skilled team to provide technical data protection insight. 

The Future of Subscriptions

GDPR will likely have a significant impact on subscription-based companies. They rely on sensitive customer data to operate, whether they store and process this data themselves or rely on a third-party vendor. As with all businesses dealing with EU citizens, compliance is essential, but subscription businesses will need to take a hard look at the data they hold to determine if it is necessary.

Importantly for content businesses operating a personal data wall, the regulation allows for specific content to be restricted to consenting users, “if used for a legitimate purpose”. The Internet Advertising Bureau (IAB) Europe explains “While the Article 29 Working Party recommends that companies do not make access conditional on consent, it recognises that access to privately-owned services can be made conditional on acceptance” [1]. Effectively this means that publishing & media companies can still gather information on non-paying users if they restrict access to some free content by placing it behind a data wall and asking those users to “pay” with their consent.

Conclusion

If you haven’t already, start the conversation about privacy and GDPR in your organisation. You still have time to get an updated privacy strategy in order. Take steps immediately to meet new regulations, ensure third-party vendors such as eSuite are fully compliant and establish clear processes and visibility to internal stakeholders. 

References

[1] https://www.iabeurope.eu/wp-content/uploads/2017/11/20171128-Working_Paper03_Consent.pdf

Further information taken from ICO Draft Guidance ico.org.uk