Byron Russell attended a recent Publishers Association seminar on the new 2018 Data Protection Regulations – the GDPR. This is what he found out.
On May 18, 2018, the new GDPR (personal data protection) regulations come into effect, and this will have radical implications for all of us. Although this is an EU regulation – and despite Brexit – it will be absorbed into UK law and supplant the current regulations (the Data Protection Act 1998). Note that the new regulations affect all publishers who process data that comes from, or is fed to, the European Union – so US Publishers are potentially affected too.
As you’re probably aware by now, the new regulations are far more stringent and proscriptive than the current rules regarding data protection. So are the penalties for non-compliance – up to a €20 million fine or 4% of the company’s turnover, whichever is the greater. There is even the possibility of custodial sentences being imposed on company directors in the case of breaches of security or misuse of personal data.
Compliance will involve a lot more auditing, governance and accountability. How you store and use personal data will be restricted and controlled. For example, it will no longer be legal to have an obscure “small print” set of terms and conditions of use, which users agree to by ticking (or omitting to tick) a box, or just by using the platform through which content is delivered.
At the recent Publishers Association seminar on GDPR that I attended, the only good news was that there would be some exemptions for smaller companies and that exemplary fines were unlikely to be imposed, at least initially – but there were likely to be far more fines than have been imposed until now by the ICO (https://ico.org.uk).
We are preparing a webinar on GDPR in January 2018, but the PA strongly advised that all publishing companies that hold personal data – including, but not necessarily limited to, author data, subscription data and marketing data – should take steps now to ensure as far as possible that they comply with the new regulations and – equally importantly – can demonstrate that they have taken steps to comply.
Here at Ingenta Connect, we hold personal and subscription data for over 300 publishers, and well over 1 million personal records for registered users and newsletter subscribers. These are the steps that we shall be taking over the next three months.
Firstly, we intend to carry out an audit of all personal data we hold both in our own right and on behalf of others. We need to check whether all personal data is up-to-date, where it is stored, for how long it has been stored, how it is protected, what the data entry points are and whether the holding of such personal data is strictly necessary to the carrying on of our business.
We will also begin to put a response plan in place in case of the unlikely event that there is a data breach. We will provide training for all staff, so that they are fully aware of the new regulations, as to a certain extent, all staff members are responsible for personal data to which they have access, even if they are not necessarily accountable.
We shall have a “privacy champion” within the organisation whose job will be to become familiar with the new regulations and their application, and who will work with the rest of the team to devise internal policies and procedures, including keeping records of data storage locations, data collection, processing and use. And as you supply data to us – thereby making us data controllers with regard to your data – we will have to draft a compliance addendum to each and every contract.
We will of course be keeping you informed and up-to-date with the latest developments, including sharing information regarding the GDPR. If you would like to look at the regulations in detail please go to gdpr-info.eu
Byron Russell is Head of Ingenta Connect, responsible for the business development of the Ingenta Connect service and for managing its Account Management and Client support teams in the US and UK.