GDPR – What is it? Are you aware of it? Have you planned for it?

GDPR – What is it? Are you aware of it? Have you planned for it?

One of the roles that Metalogic carry out on behalf of their customer base is to be aware of forthcoming legislation that will impact on them both from a system and business viewpoint. Over the last ten years this has seen Metalogic staff sitting on committees to review and standardise EDI in the European Steel Industry, attending ISO 9000 briefings and more recently working with the BSSA in assuring that iMetal meets all the requirements of CE marking. Now with no time to take a breath a piece of legislation due to come into force early next year is occupying our attention.

Despite wide coverage and with only having a little more than six months until the EU General Data Protection Regulation (GDPR) compliance deadline, a recent survey has shown that 55% of UK small businesses are still unaware of GDPR.

Lack of knowledge of the legislation is surprising, with 27% of all senior decision-makers at UK organisations questioned unfamiliar with the changes introduced by GDPR.

The survey also revealed that 20% of senior decision-makers said their organisation have yet to put a plan in place to prepare for GDPR, with an additional 19% saying they don’t know if their organisation is prepared for GDPR.

Key changes introduced by the GDPR

The GDPR will supersede the current Data Protection Act (DPA) and will extend individuals’ data rights.

The Regulation will be enforced from 25 May 2018 and introduces a number of key changes to data protection laws:

• It broadens the definition of ‘personal data’ to encompass an individual’s mental, economic, cultural and social identity.
• It requires parental (or equivalent) consent to process children’s data.
• It changes the rules for obtaining valid consent when collecting data. Consent must be given by a clear and affirmative action.
• It mandates the appointment of a data protection officer (DPO) for certain companies.
• It requires data protection impact assessments (DPIAs) for organisations that undertake high-risk data processing activities.
• It requires data controllers to report a data breach within 72 hours of discovery.
• It gives data subjects the right to be forgotten.

With organisations facing significant fines for non-compliance (up to 4% of annual global turnover or €20 million – whichever is greater), it is essential that all staff, including senior decision-makers, understand the requirements of the new regulation and how it will affect them.

Does it affect me and my organisation?

It affects everyone and whilst most companies in the metals sector have  business to business transactions they may and will have data regulation responsibilities under the tighter guidelines of GDPR.

Why do we need these revised regulations?

Due to the growth of the internet and changes in behavioural advertising and social media, personal data is now being used in ways that were not envisaged at the time the current EU Directive was drafted making it not fit for purpose. There is a public led, political impetus for stronger data protection resulting in the need for GDPR.

What is Metalogic doing to keep pace with GDPR changes?

As with all legislation, environmental and technical changes that impact on its customers, Metalogic has already made a commitment to our customers that we will help them meet the requirements of this legislation ahead of May 2018.

As part of this work, within the newly formed “Jonas Metals Division” we are working with a specialist consultancy to review the impact that GDPR will have on our customer base. From this we will be making the changes that our ERP applications will need to be enabled to handle.

We are working towards our products being built according to the ‘Privacy by Design’ principle enabling our customers to fulfil their duties in adhering to EU GDPR. These proposed changes will be reviewed with a specialist GDPR lawyer, to ensure correct and complete interpretation of the law.

At this stage our expectation is that there will be modules and products that will need to be changed to align with the GDPR legislation – facilitating our customers’ ability to be compliant with the GDPR. As our review progresses, we will advise the schedule for software updates, also whether there are any areas that do not require updates.

We started work on this in early 2017 and new versions of products should be ready to be deployed to our customers from March 2018. Please note that all product modifications will be made to the general release version of the software only.

We advise customers on legacy versions of our products to therefore start discussing upgrades in conjunction with your Metalogic Account Manager.

Some of the older legacy versions may require an interim upgrade – for compatibility with GDPR until the client is ready to upgrade to the latest GDPR ready version.

Metalogic will be working closely with our hosted customers to ensure GDPR regulatory guidance.

All Metalogic customers will have the option to upgrade to GDPR ready versions by May 2018 to fulfil their duties in adhering to EU GDPR.

What Should our customers be doing ?

Customers should review all existing processes in place within their organisations that relate to the storage and use of client’s / contacts personal data. In particular, consider areas relating to:

• Consent – it should be possible to trace and identify what an individual has consented to, as well as the time and method of consent. This consent could cover contact details joining information, health data, and marketing preferences. It should also be possible for a member to change preferences or withdraw consent easily.
• Security of data – Metalogic customers not using password rotation should consider moving to this functionality.
• Capture of children’s’ data – the GDPR states that parental/guardian consent for access to online services is required for children – in the UK <13 years old. This means that as an operator, you need to consider if your store any data on or about children. Do you note details of a client’s family members in your CRM/marketing databases.
• Archiving and deletion of end customer data – it is worth re-examining both the length of time you need to retain data on contacts and the way that you store this.
• Analytics, anonymization, and profiling – cookies should be treated as personal data and require consent – cookies set for different purposes may need separate consent. For your own websites, consider whether you have cookie consent exemption, automatic anonymization of visitor id, respect for DoNotTrack preferences, and opt-in/out on any privacy policy pages.

Reviewing your own processes is time consuming and complex, for this reason, Metalogic encourages its customers to seek qualified GDPR legal advice to ensure compliance with the GDPR.

It should be emphasised that Metalogic software alone cannot make an operator compliant as the regulation applies to all processes and practices performed by operators. However, we aim to ensure that by upgrading to our latest GDPR  versions; discussing your needs and processes with a Metalogic consultant will enable customers to build compliant practices within their organisations more easily to fulfil the main areas covered by the legislation.