What is GDPR and GDPR Compliance?

The EU General Data Protection Regulation (GDPR) is built around two key principles:

  • Giving EU citizens (data subjects) control of their personal data
  • Simplifying and strengthening regulations for businesses with a unified approach across the European Union

It’s important to note that the GDPR will apply to any business that processes the personal data of EU citizens which means that it could also apply to companies based outside of the EU.  The UK government has confirmed that Brexit will not affect the GDPR start date, or its immediate running and it will commence from the 25th May, 2018. GDPR has implications for all organisations that collect information about customers resident in the EU, and whilst the telecommunications and IT sectors have adhered to a strict regulatory regime for a number of years there are changes that the GDPR compliance will bring. This page aims to outline some of the most significant changes that are coming, and will also highlight the Columbus view and update on the General Data Protection Regulation.

GDPR Background

The GDPR is a new EU Regulation which will replace current UK legislation. This was originally implemented in the UK via the Data Protection Act 1998 to enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. The GDPR builds on many of the original Directive’s requirements for data privacy and security, but includes new provisions to bolster the rights of data subjects and adds harsher penalties for any violations.

How does GDPR affect telecoms and IT?

Organisations that transfer information for data warehousing, analytics and marketing purposes will need to delete, encrypt or ‘anonymise’ their data. Whilst IT and data security is already of paramount importance to Communications Providers (CP’s), security measures will need to meet strict GDPR compliance standards. Another important consideration will be data portability. CPs will need to be  provide customers with a copy of their personal data in an easily accessible electronic format if requested.

Does GDPR apply to my business?

GDPR applies to any business that processes the personal data of EU citizens. This includes customer, supplier, partner and employee data. So the first question you need to ask is how often does your business deal with personal data? This includes customer data, but have you factored in supplier data? Past and present employees? If you’re collecting any of this data routinely, you’ll need to ensure GDPR compliance, whether the data is in a database, computer network, mobile phone, in the cloud or on paper.

Key Provisions of the GDPR

The EU General Data Protection Regulation (GDPR) will replace all other data protection regulations within Europe. The GDPR does two things; It protects the data rights of EU citizens, and it protects their privacy, i.e. their data. Any organisation that carries out  business activities within the single market will have to comply with it. This also includes non-EU businesses who deal with EU customers. Find out about some of the key provisions below.

Don't hang on to old data

One of the key principles of GDPR is to require companies not to hold on to personal data for longer than necessary, or process it for purposes that the individual isn’t aware of. Identifying your data categories and what personal data you have, and why, will be very helpful in ensuring GDPR compliance.

Explicit Consent

Individual ‘consent’ has been redefined under the EU GDPR and as a result become more strictly controlled. The intention is to put the data subject in control of their own personal data. On top of this, requests for consent can no longer be hidden in small print but must be presented clearly, and separately to other policies on your website or communications. Pre-ticked boxes for consent are no longer acceptable for example. Consent may not be required for pre-existing personal data, as long as you have a legal basis that’s compliant with the current legislation (the DPA). The principle is that inactivity is no longer a legitimate means to confirm consent.

Privacy by design and default

GDPR mandates that organisations should include privacy in their processes and systems by design. This means that all the organisation’s systems and software should adhere to the key tenets of GDPR. For instance, if a request to be forgotten is received from an EU citizen, you should be able to completely erase the personal data belonging to the data subject within the specified time frame.

Right to be forgotten

The way we collect, store and use data will change under GDPR. The right to be forgotten mandates organisations to delete all of an EU citizen’s data, including all copies, should they request it. To ensure GDPR compliance, this requires a comprehensive data map covering what data is stored, where, and who has access to it.

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. In so doing, GDPR allows data subjects to obtain and transfer personal data, from one data controller to another, in a safe and secure environment. This enables individuals to take advantage of applications and services that can use their data to find them a better deal or help them understand their spending habits for example.

Stricter rules for data breaches

Breach notification is another key provision of GDPR compliance. Under this provision, it will become mandatory for organisations to notify the data protection authority and customers within 72 hours of a data breach. In the UK the data protection authority is the Information Commissioner’s Office (www.ico.org.uk). It is also important that the organisation suffering the data breach prove their due diligence in preventing them.

Higher non-compliance fines

The GDPR toughens up penalties that already exist under the DPA. These penalties at present include:

  • Maximum fines of £500,000
  • Prosecutions, including prison sentences for deliberate breaches
  • Obligatory undertakings, where your company has to commit to specific action to improve compliance

With the onset of the GDPR in May, these penalties are set to get much tougher. Businesses in breach will see a dramatic increase in fines with penalties reaching an upper limit of €20 million or four per cent of annual global turnover, whichever is higher.

The Columbus position on GDPR

It’s easy for businesses with so much work and limited time and resources to see the GDPR as a burden. But it’s something that can be used to your organisation’s advantage. By proving to potential and existing customers that your organisation is compliant with GDPR  you could add significant value to your proposition which in turn could help you generate more business. No one likes having their data lost, stolen, damaged, misused or shared without proper consent, and doing everything you can to protect your customers and grow their trust could be a valuable selling point. There are serious reasons to become GDPR compliant and from a practical viewpoint, you should see it as being worthwhile to organise your back office more efficiently, earn your customers’ trust and be the company that respects personal data, rather than doing little or nothing about it and suffer the consequences later.

Columbus is fully focused on GDPR compliance. Columbus already operates in a a highly regulated telecommunications sector so we are confident that our processes and services will meet GDPR requirements prior to the go live date. Prior to and beyond the implementation of GDPR, we will monitor our processes to ensure full compliance with GDPR at all times. Whether we collect personal data from our customers, suppliers or business partners, or process any personal data on behalf of our customers, we have stringent technical and organisational measures built around all of our data sets to ensure full compliance.

Have a question about GDPR compliance? Get in touch with the Data Protection Officer.

Columbus are very flexible in their approach to our demands, keeping control over our business connections, supporting our remote staff & providing us with a value for money service. The friendly efficient staff are always on hand to help when required.

Jerry GriffinFacilities Manager, PEI-Genesis UK Ltd

We originally approached Columbus to help us fill the gaps in our inbound solutions portfolio. Due to their fantastic support, customer service and willingness to work closely together, we have worked in partnership for over 10 years. This has resulted in significant advances for our mobile, SIP and Hosted PBX offerings. The key area any business appreciates most is the ease in which it can engage, plan and deliver projects for customers with its partners. With Columbus, we can always provide a great service for our customers… we simply do not get the same level of service from any other company.

Christian CoeManaging Director - Telecoms Advisor Ltd

Working with Columbus is easy; they are great partners and the team responds quickly to our requests for input. In fact, they are the most responsive and easy to work with partner we have, even when we have challenges to resolve.

Gabrielle AlamManaging Director, Eyes2market UK Ltd

Latest from the Columbus Business Blog…

Recent Posts / View All Posts

What SMEs can do to avoid a serious card data breach

| Hosted Card Payment Solutions, PCI Compliance, PCI DSS, PCI DSS Level 1 | No Comments
BA suffers significant data breach The recent data breach that occurred at British Airways showed that even the biggest of companies with, what customers hope are the most stringent security policies in place, aren’t exempt from the challenges associated with protection of data. But what chance do small businesses have if their larger corporate counterparts are struggling in the battle…
PCI Compliance Solutions from Columbus UK

PCI DSS compliant card payment solutions that work for SMEs

| PCI Compliance, PCI DSS | No Comments
Card payment solutions that offer accredited Level 1 PCI DSS certification are not just for large businesses, SMEs can now get in on the act too. Micro businesses and SMEs have often been overlooked when it comes to providing card payment solutions that are affordable and effective and meet PCI DSS obligations. For many years there has been an invisible…
Struck by the worst snowstorms in over a decade and unable to get to work for three days, learn how it was business as usual for Pretavoir staff using the Horizon hosted phone system and mobile apps from Columbus UK.

Hosted phone system helps luxury eyewear retailer beat the ‘Beast From The East’

| Disaster Recovery, Hosted Phone Systems, Hosted Telephony, Inbound Call Solutions, Mobile Services, Remote Working | No Comments
S truck by the worst snowstorms in over a decade and unable to get to work for three days, learn how it was business as usual for Pretavoir staff using the Horizon hosted phone system and mobile apps from Columbus UK. The ‘Beast From The East’ Arrives in the UK Overnight on Wednesday, 28th February, unprecedented amounts of snow fell…
PCI DSS Compliance solutions from Columbus UK

Is it time you tackled your PCI DSS compliance?

| Call Recording, Inbound Call Handling Services, Inbound Call Solutions, Legislation and Compliance, PCI Compliance, PCI DSS | No Comments
PCI DSS Compliance The UK Government’s Cyber Security Breaches Survey 2017* revealed that nearly half of all UK businesses had suffered a cyber breach in the previous 12 months with small businesses hit particularly hard by attacks. With more stringent data protection laws in the form of the EU’s new General Data Protection Regulation (GDPR) coming into force in May…

“Make operational life simpler by switching to a single, reliable and trusted solution provider and concentrate on what’s really important to your business.”

What We Deliver…

Outstanding customer service and account management

A single supplier to help you consolidate services and reduce costs

Hassle free switching from your incumbent provider

Excellent network coverage and resilience

Extensive, high quality portfolio of services covering voice, data, mobile and IT

Reduced admin time with a single invoice for all services and a single point of contact

Big savings on multiple service bundles, competitive tariffs and accurate and timely bills

Commercial strength, stability and longevity

Need Help? Talk to a Columbus compliance expert. Call us on 0333 240 7755. Let's go!