MAROLLES EN BRIE, France — The European Union’s General Data Protection Regulation, adopted in May 2016, will take effect May 25. All businesses — including those based outside the EU that handle the personal data of EU citizens — will thus have to comply with this new ruling, designed “to make Europe fit for the digital age.”
GDPR’s introduction follows the wave of data protection laws that have been introduced worldwide in the last few years. These include PDPA in Malaysia, PDPA in Singapore and Sarbanes/Oxley in the United States. The regulations are intended to protect the unwarranted usage and storage of personal data and give more power to individuals on how their data is being processed and maintained.
Radio broadcasters need to be aware of this new ruling and prepare accordingly. Here are a few questions you may ask yourself:
Will radio stations have to comply? While the rules may appear to have been designed for the data capture of major IT firms, they can also be applied to smaller businesses, and will be enforced by national data protection agencies. In addition, with cloud usage on the rise, personal data is at even a greater risk today. This is due to the presence of “Shadow IT” — apps purchased and used by other departments without the IT department being aware of this usage. Fines for breaching the law can run up to 4% of an entity’s group turnover, which can add up to quite a lot of money for those stations that are part of a larger media group.
What advantages will this new regulation bring? Despite the costs and possible hassle associated with working toward compliance, GDPR will certainly have some positive consequences. These include: the reduction of Shadow IT; enhancement of best practice and accountability within teams; the centralization and streamlining of personal data as well as the ability to understand which information a company is allowed to use; and increased confidence of your brand.
Do we really collect personal data in our daily operation? Yes. Personal data is everywhere in your organization. It starts from a simple email address. Even the simple task of sending out email listings to subcontractors must now be traced. A company’s list of employees is also considered personal data.
How can I comply? First of all, take a look at your internal organization. Reinforce good practice and double-check data protection, contracts with third parties, registries, etc. Secondly, check the security of your software applications (encryption, user accounts with expiry, data expiry, auto-deletion and proof of consent). Finally, verify your firm’s general IT etiquette — VPS, HTTPS, BYOD [bring your own device] and use strong passwords, server securing, etc.
GDPR fulfillment can’t be obtained overnight, and many feel they will not be fully ready in May. However, each station needs to initiate the compliance process as soon as possible in order to demonstrate good intentions in case of an audit.
There are also consultants available to help you in this endeavor. With their expertise in software development combined with in-depth knowledge of your business, these professionals can help ensure that your business is on its way to becoming GPDR-compliant.
The author is CEO of NeoGroupe in France and V.P. of NGI Software Inc. in Canada.