If a company touches data, GDPR probably touches it

The most important privacy protections in the history of computing come into effect on May 25. Companies that have not already taken steps to comply with the European Union’s General Data Protection Regulation (GDPR) are behind the curve.

But there are many working in companies that must be GDPR-compliant but have not been touched personally during the 2-year run-up to this month’s compliance deadline. Here we will offer a short backgrounder on the new rules – which can seem complicated – and emphasize the need for everyone who touches customer data to be aware of GDPR and their responsibilities.

Cloud4Wi is proud to be fully compliant with the GDPR. We’ve implemented various changes to make sure that we, Cloud4Wi, and our customers have everything in place to comply with GDPR.

What is GDPR? Why does it matter?

GDPR is the first major rewrite of Europe’s privacy regulations since the mid-1990’s. No law is perfect and will be some time before the details shake out, especially how regulators will interpret and enforce specific provisions. Violators face potentially huge penalties – estimated to be up to 79 times larger than current sanctions.

Under the GDPR, small offenses will carry a fine of up to £10m or 2% of a firm’s global turnover, whichever is larger. More serious violations will result in fines up to £20m or 4% of a firm’s global turnover, again depending on which is more substantial.

Those potentially eye-watering (and company-ending) fines are one reason companies have focused so closely upon this month’s deadline, though it is as yet unclear how aggressively EU authorities will prosecute GDPR violations.

Further, every organization that collects data from or about European citizens must be GDPR-compliant, regardless of their headquarters location or where the data is stored. That is why many international organizations are accepting GDPR is a global requirement or segregating non-European customer data from that collected or stored within the EU.

GDPR will be everywhere

Recent privacy breaches, notably those at Equifax and Cambridge Analytica, but including many smaller incidents, have the U.S. looking seriously at changing its data privacy laws. The GDPR is often mentioned as a possible template for any new regulations. The timetable for new American rules is not clear, but GDPR compliance is often cited as a valuable first step for U.S. companies.

Does a company “control” data or just process it?

Companies that decide what data to collect and what is done with the information are called “data controllers” under the GDPR. Companies that assist in the collection and who may work with the data – but lack decision-making authority are called “data processors.”

The burden of GDPR compliance falls heaviest on the data controllers, which are often directly customer-facing. Data processors should take steps to ensure they do not mix controller and processor roles and comply with all GDPR requirements.

Corporate privacy policies, required by the GDPR, must specify who the data controller is as well as various data processors involved in handling the information. In most cases, Cloud4Wi is a data processor and our customers are the data controllers.

What does the GDPR require?

Here are essential requirements set by the EU for organizations that handle the personal data of EU citizens:

Consent

The GDPR requires explicit permission for the gathering and use of personal data. According to the EU, companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form. It must also be as easy to withdraw consent as to give it.

Breach Notification

Under the GDPR, breach notification is required where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This notification must be done within 72 hours of first having become aware of the breach.

Right to Access

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

Right to be Forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. There is some flexibility here in that data controllers must compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

Privacy by Design

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Controllers are required to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.

Data Protection Officers

A provision of the GDPR which has garnered much attention is the requirement for many firms to appoint data protection officers. And even when not required, having such a position, even informally, seems like a good idea.

The DPO is the point-of-contact between organizations and government and may be either an employee or an external service provider. In either case, the DPO must report directly to the highest level of management.

Cloud4Wi is fully compliant with GDPR

Cloud4Wi is fully compliant with this latest privay regulation, which we are happy to document. We are also working closely with our customers to assure their compliance, too. Data protection and privacy are end-to-end issues and a failure by either Cloud4Wi or a customer makes both appear untrustworthy.

In the recent months, we have conducted a detailed review of our tools, procedures and practices in light of the GDPR requirements. We have implemented the necessary changes and developed procedures to meet the requirements of the legislation. We have also appointed a DPO and a data protection working team.

We want users to have the peace of mind that comes with knowing their data is protected, yet still accessible. We have implemented GDPR features for all our customers worldwide and continue to respond to local legal requirements in all markets we serve.

The Cloud4Wi’s suite self care portal, available since the first release of Volare in March 2016, guarantees the individual’s “right of access” to all the information Cloud4Wi holds about them. Users have the right to update (or erase) information, as well as their marketing preferences.

We were among the first location analytics and marketing solutions to implement the GDPR and have worked with our customers to assure their compliance, too. Cloud4Wi believes the GDPR is more than just a requirement but also a very good idea.

It will not be the last word on data protection and privacy, but the GDPR deals with immediate challenges, changing public perception, and is a framework we can build upon for the future.