The first phase in any strategy to ensure compliance with the General Data Protection Regulation, also known as the GDPR, is GDPR awareness with an emphasis on staff awareness to ensure appropriate attitudes, techniques and procedures are in place to protect personal information. This is a regulatory body for ensuring the protection of personal information and applies across many sectors of business and other organisations. An example of where it can be implemented is the use of password protected online forms which ensure that the data being entered is only accessible by those who have the relevant security clearances.
Many people assume that the term ‘GDPR compliance’ refers to some particular technical regulation. This is not the case; however, each country will have its own set of guidelines and requirements that it regards as appropriate for its citizen’s personal data to be protected. For instance, the Irish Data Protection Act considers that any personal data that could identify a person to be at risk of identity fraud or abuse should be protected and may include any payment details that relate to that person (e.g. bank account details). Similarly, the UK’s Personal Financial Services Code requires businesses to inform clients of the risks of passing sensitive information onto third parties and to take reasonable steps to correct any issues that may arise.
In Ireland, as part of its GDPR awareness programme, all businesses that process payments must also be provided with an identity theft policy. Similarly, the Czech Republic requires all companies processing payments to also be provided with an identity theft and credit crime awareness policy. One of the recommendations of the European Commission’s Privacy and Electronic Communication (PEC) Working Group was that all member states should work with their counterparts from the United Kingdom, the United States and Australia to develop a single consolidated document covering the collection, storage and treatment of electronic data. This would provide a uniform approach across all member states that would make it easier for individuals to understand what their rights are and to check whether they have adequate protections.
The GDPR has had a significant impact on the way in which companies collect and store personal data. The Payment Data Bill, currently being debated in the lower house of the parliament, seeks to amend the Payment Data Bill to make it compatible with the general data protection regulation (GDR). The amended Bill is expected to affect all companies that process personal payments in Ireland. If passed, the new laws will require providers to inform clients about the risks of transmitting sensitive personal and business information across the internet.
There are now professional bodies in the United Kingdom that address specific issues related to the subject of privacy and personal data protection across the internet. These associations include the British Internet Marketing Association (BIMA), the Association of Personal Financial Advisors (APFA), and the Association of Independent Consumer Credit advisors (AICCA). The Global Information Management Solutions (GIMS) initiative was launched in the United Kingdom in August 2009 to promote information management and improve digital security throughout the UK. It is currently the fastest growing international internet industry body.
The Irish data protection authority has published several guides on the subject of electronic privacy and responsibility for electronic data. In a nutshell, the main focus of these guides is on creating an awareness in businesses and individuals about the importance of ensuring that personal data is protected at all times. One of the main elements of this effort is the creation of a website for this purpose that will carry a prominent link to the Irish data protection regulation and information security guidelines. This is one element of gdpr awareness that has proved successful in terms of raising awareness and encouraging businesses and individuals to follow the regulations.
