PART TWO: Consumer rights and data breaches
Familiarise yourself with your customers’ rights
Under GDPR, your customers are given comprehensive rights that can be enforced in relation to the collection, processing or storing of their data.
These rights will limit how you handle customer data. So you will need to put procedures in place to ensure that you can both adhere to and service their requirements.
These rights are as follows (in plain English):
To be given access: Your customers have a right to see what data your business holds about them.
If they issue a request to see the data, you need to be aware that – in most cases – you will not be able to charge for the service.
You will have one month to comply with any request, unless it is complex, in which case you can be granted an extension.
Remember to put internal security measures in place when releasing any sensitive data.
If a contact asks you to provide them with data, it would not be deemed unreasonable to request that they come into the office and present suitable identification to you.
This would certainly demonstrate that you are protecting your customers’ and businesses’ best interests.
The right to erasure – also known as the “right to be forgotten”: Individuals have the right to have their data removed from your database at any time, provided that they are not currently benefiting from any of your services, or that you are contractually obligated to store their data.
This right applies when:
- The personal data is no longer needed for the purpose(s) that it was collected.
- The individual withdraws consent.
- The individual objects to the processing in cases where there is no overriding reason for continued processing.
- The personal data was processed unlawfully.
- The personal data must be erased to comply with a legal obligation.
To move, copy, or transfer: You need to be aware that your customers have the right to obtain and re-use their personal data for their own reasons across different services.
So you will need to ensure that you can service their requirements to move, copy, or transfer their data easily and securely from one IT environment to another.
To be able to rectify or change: Your customers can have their personal data rectified if it is inaccurate or incomplete.
To restrict processing: Your customers have a right to ‘block’ or suppress processing of personal data.
Can you handle a data breach?
To prepare your business for breach reporting, your team needs to understand what constitutes a data breach, and recognise that this is more than a case of lost personal data.
A data breach encompasses destruction, loss, unauthorised alteration, and unauthorised disclosure of – or access to – personal data.
To comply with GDPR, your business needs to implement procedures to detect, report and investigate data breaches.
The Information Commissioner’s Office (ICO) must be informed of all data breaches in which there is a high risk to the individual’s rights and freedoms.
A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it, and the individual should be informed.
Failure to report a data breach could result in a fine of €10m or 2% of turnover.
Richard Combellack is chief commercial officer at BriefYourMarket. https://www.briefyourmarket.com/
Disclaimer: BriefYourMarket.com is not a legal or regulatory body. This article is for informative purposes only. To understand your position in relation to the GDPR, please consult a/your legal advice organisation