Now that we have grabbed your attention, there are some significant changes coming in terms of data protection. From the 25th of May 2018, the General Data Protection Regulation (GDPR) comes into effect. You may or may not have heard of it but it’s something that operators in the EU need to take stock of really quickly. This new regulation is being brought in to protect and empower all EU citizens’ data privacy and also how organisations approach data privacy.
So what has all this got to do with the 4% of annual turnover? This means that any data breaches by an EU organization with data of EU citizens can be susceptible to a fine of 4% of revenue or €20 million (whichever is greater). Not only is this a significant financial impact to any operator but a breach could have serious consequences from a PR and customer experience point of view.
It is quite staggering the levels of personal data that operators have on their customers, quite scary to be blunt. This includes copies of photo identification, bank account/credit card details, date of birth, address, location, who they are calling to name but a few. Some of this data depends on the type of customer you are with an operator e.g. Prepay/Post-pay. Also there are so many channels that operators can gather this information from e.g. online, retail store, over the phone, network core etc. while at the same time the number of devices that customers are using is also on the increase across Europe. Therefore a data breach with a combination of the above could have serious effect to the individual who owns the data. Operators will be obliged to notify their regulator and customers of a data breach within 72 hours of knowing of the breach.
The regulation has other implications for operators. EU citizens have the right to request the deletion of their personal data once they are no longer a customer of the operator. Citizens will be able to request confirmation from the operator if their personal data is being processed, where and for what purpose. Citizens have the right to have their personal data rectified if inaccurate or incomplete. There are much more considerations that operators will need to get their head around and fast.
So what can operators do to protect themselves? Firstly they need to get the ball rolling on this if they haven’t already done so. They will need to carry out rigorous audits (DPIA) of potential weak points and identify areas, products or channels that are potentially non-compliant. Ensure that you have data controls in place and guidance for them to ensure they have full access to all areas of the operation to assess the compliance levels. Operators need to train every member of staff, contractors and vendors to the importance of the regulation and thus show compliance.
Operators have always been aware of the importance of personal data security. This regulation takes it to a new level and non-compliance will have disastrous implications for revenue and reputation of the operator. Putting the investment through security and consultancy guidance will protect the integrity of the organisation over the years for the operator as the number offerings and customers on your network grow.