Utilising and protecting personal data is already a delicate balancing act, as more organisations invest in data analytics, collection and storage. With the EU’s new General Data Protection Regulation (GDPR) on the horizon, there are big implications for any businesses processing data, and an even greater obligation to safeguard it.
Arming yourself with all the facts on GDPR, and assessing and improving your company’s data handling procedures will ensure security compliance and avoid hefty fines, ahead of its arrival in May 2018.
1. GDPR is global
The GDPR may be an EU reform, but it will impact any business worldwide that handles the data of EU citizens. It is the first global initiative protecting personal data, requiring universal security compliance. This means, if you’re a UK business, Brexit will have no influence over the GDPR’s rules if you processes EU data.
2. Extension of liability
Historically, only data controllers were responsible for data processing activities. With the GDPR, liability extends to any organisation that comes into contact with sensitive data. If your company processes personal information, it must be fully GDPR compliant.
3. Consumers have the right to be forgotten
The primary intention of the GDPR is to hand back control to citizens when it comes to their personal information. Your organisation must not hold a customer’s data for longer than required, or use it for any other purpose, and you must delete any information at an individual’s request. Citizens have the right to be forgotten, which ultimately means they can opt out entirely.
4. Proof will be required
One of the trickiest aspects of the new reform is the requirement to prove you obtained clear and positive consent of data collection. Your processes will need to be absolutely watertight to ensure that proof is always obtained, stored, and can be easily accessed.
5. More information classed as data
The official definition of personal data has been widened by the GDPR, bringing new information under regulation. This now includes an individual’s genetic, mental, cultural, economic or social condition. Importantly, information about cookies and IP addresses is also now under scrutiny, so IT data previously unaffected will need extra attention, to ensure your business is compliant.
6. Assess and report within 72 hours
Your organisation’s ability to detect and respond to a security breach will be essential under the GDPR. To adhere to the new regulations, your systems must have the necessary technologies and processes in place to continuously monitor for and identify a threat, and to notify the Information Commissioner’s Office (ICO) within 72 hours of a breach. Privacy Impact Assessments (PIAs) will be mandatory.
7. You may need to appoint a DPO
If your company’s main activities involve handling personal information on a large scale, a Data Protection Officer (DPO) will need to be appointed, regardless of the business size or number of employees. According to a study by the International Association of Privacy Professionals (IAPP), the GDPR’s new requirements mean that 28,000 DPOs will have to be appointed in Europe alone.
8. Privacy is paramount
Privacy must be integral to all your software, processes and systems, and you must be capable of completely erasing personal data. Some businesses may consider outsourcing their data storage and security processes, to ensure that their systems are entirely compliant, and minimising resources needed in-house.
9. The new fines are much bigger news
So, why should you take notice? The GDPR is upping the non-compliance fines to €20m, or 4% of worldwide annual turnover, whichever is greater. Simply put, a fine of this magnitude could spell the end of an SME, or any business without much room on their bottom line, so complacency on the reform is not an option.
The General Data Protection Reform is approaching fast, and with such heavy financial implications for violation, you should consider it a first priority if your organisation handles personal data. But don’t be despondent; dealing with one supervisory authority rather than a different one for each EU state should simplify matters, and transparency on all the facts on GDPR ensures your whole organisation will be well informed.
Most importantly, there’s still time to get your data storage processes optimised. Whether this means fine-tuning your own back office, or partnering with a trusted systems integrator like Genisys, it’s the right time to act. We are experts in security compliance, and our solutions can help get your business GDPR ready for 25 May, 2018. Read more about our services here.