What is GDPR?
The General Data Protection Regulation (GDPR) is a new piece of legislation coming into force on the 25th May 2018 which will replace the Data Protection Act of 1998 (DPA). With the GDPR comes an updated set of responsibilities for organisations that conduct data processing, either for themselves or on behalf of others.
Under GDPR, the concept of ‘personal data’ is very broad and covers any information relating to an identified or identifiable individual (also called a ‘data subject.’) It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of GDPR be breached.
In summary the key changes are as follows:
- Unambiguous and activity-specific consent – you must obtain freely-given consent to use an individual’s data (pre-ticked boxes don’t count!). You must also allow for separate consent for different types of data processing, to give individual’s more control over what they’re consenting to.
- Greater rights for individuals – there will no longer be an administrative fee for individuals who wish to request a copy of the data held about them by an organisation.
- Penalties for breach – increased fines for data breaches will be introduced with the GDPR. This could be up to 4% of your annual turnover, or 20 million Euro, whichever is greater.
- Clearer policy required on data retention – you may now only retain information whilst you can justify using it.
- Greater responsibility for data processors such as Akero – those who process data on behalf of the data controller (you) have direct obligations for the first time (see below).
- Risk-based approach for “sensitive” data, including Data Protection Impact Assessment.
- Greater technical security requirement – marketers should build in confidentiality and security by design.
- Mandatory data breach reporting – there is a new duty on organisations to report certain types of data breach, if they occur.
What is Akero doing in order to become GDPR compliant?
With the GDPR comes an updated set of responsibilities for organisations that conduct data processing, either for themselves or on behalf of others.
Akero began to dedicate internal resource to GDPR from May 2017, a full year before GDPR is due to come into effect. We are demonstrating a commitment to compliance through both words and actions.
Here’s an overview of our GDPR Roadmap and where we are on the journey:
Complete: GDPR steering group who are continually working to thoroughly research the areas of our product and our business impacted by GDPR.
Complete: External audit of GDPR readiness and InfoSec.
Complete: Appoint a certified GDPR Practitioner.
Complete: Develop a strategy and requirements for how to address the areas of our product impacted by GDPR.
Complete: Regular system penetration testing and Cyber Essential Plus assessment.
In progress: Perform the necessary changes/improvements to our product based on the requirements.
In progress: Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR.
In progress: Thoroughly test all changes to verify and validate compliance with GDPR.
To be completed: Finalise and communicate full compliance.
What is happening to Akero’s technology in order to make it GDPR compliant?
We are taking many steps to ensure we will be ready for the changes GDPR will bring. We are adding multi-factor authentication as an option on accounts and ensuring privacy notices and opt-in are in place prior to pages and forms being published. We will also require user consent for Akero’s tracking features and the system will prompt users to set up complaint campaigns.
Finally we’re adding support for encryption at rest and anonymising Personally Identifying Information (PII) when viewed by agencies.
Based on research conducted by both our inside and outside counsels we are confident these updates will address the requirements of GDPR. We will communicate these changes in detail in early 2018.
What do Akero customers need to do?
There are a few things you might need to do depending on your situation jurisdiction. Below are the only impactful changes that we can forsee that might affect you as a result of using Akero:
1. Privacy Notice & GDPR compliance
2. Only collect information you actually need
Under GDPR you must justify the data you collect and must not collect more data than you require.
3. Make sure the consent options on your forms are right
Under GDPR you must be completely explicit and unambiguous when gaining consent for future communications. You must obtain freely-given consent to use an individual’s data (pre-ticked boxes don’t count!). You must also allow for separate consent for different types of data processing/marketing comms to give individual’s more control over what they’re consenting to. Start this transparency now and save yourself some of the leg work further down the road.
Be mindful of general security and passwords for your Akero profile. Ensure you remove user logins and access when they leave your organisation.
More information will follow on a regular basis in the coming months but in the meantime if you have any specific questions please don’t hesitate to contact us.