With GDPR on the horizon, firms scramble to meet compliance
The General Data Protection Regulation from the European Union has been a long time coming, having passed confirmation by EU parliament in April 2016 for a start date in spring of next year.
Roughly two years may seem like a long enough time for businesses to ramp up their data protection policies and avoid the hefty fines for non-compliance – up to 4 percent of a company’s annual revenue or 20 million euro, depending on which is the higher. Yet a lot of companies are still either unprepared for the fast approaching deadline, or completely unaware that they run the risk of facing fees at all.
The most common misunderstanding about the regulation is that it doesn’t just apply to businesses based in the European Union, or even just branch offices based on the continent. Any company that collects information on individuals living within one of the EU member states – from small e-commerce operations selling niche products to major service providers like Amazon and Google – is liable.
While the GDPR itself is wide-ranging compared to the legislation it replaces, companies that have stayed up-to-date with the latest data collection best practices over the past two decades should have a good foundation in place to ramp up their policies ahead of the May 25, 2018 deadline. But there are a few significant points of consideration that companies need to waste no time in addressing as that deadline fast approaches.
Some companies will need to beef up staff
While the GDPR itself is a pretty cumbersome document, containing 91 articles across 11 chapters, there are a few sections in particular that will have the biggest immediate impact that businesses need to zero in on. For instance, Articles 35, 36 and 37 make it mandatory for companies collecting especially detailed personally identifiable information (PII) about EU constituents – details like genetic or biological data, health records, racial or ethnic origin and even religious preference – to appoint a data protection officer that is tasked specifically with ensuring the business complies with all GDPR mandates, and reports directly to EU authorities when breaches occur.
The legislation also dictates time frames for protection and reporting that regulators will be keeping a close eye one, especially in the wake of recent high-profile data breaches where customers weren’t informed about the incidents until months or years later.
Article 31, for instance, holds controllers to a 72-hour deadline to alert customers who were subject to a personal data breach. The legislation takes this a step further in Article 32, forcing controllers to notify customers immediately when breaches pose a risk of compromising a victim’s rights or freedoms, or else the controller and the company could face severe litigation from EU lawmakers as well as the compromised individuals.
More control is in the hands of the customers
While the GDPR is primarily intended to protect customer data, it’s also going to be a great consumer tool for making sure individuals have greater choice in the companies and services they trust their data with.
Articles 17 and 18, for instance, give language to the “right to portability” and the “right to erasure,” respectively, which essentially untether specific PII from contracts that in the past have allowed businesses to stockpile data on their customers. This way, consumers can share PII with new service providers with a lower risk of violating old contractual obligations regarding data ownership, or force a business to scrub that customer’s PII from their database when extenuating circumstances call for it.
A regular point of reference for all members of an organization should be Article 79, which outlines what exactly qualifies as a violation of the GDPR and the associated penalties. Since few small businesses can stomach a hit of $20 million – let alone 4 percent of their annual revenue – when balancing the additional legal and logistical costs of remedying a major data breach, having in mind what to watch out for in terms of violation is critical.
There are a lot of other nuances associated with the GDPR that are outlined throughout the remaining articles and chapters of the book, but businesses need to look beyond just compliance if they are going to secure their networks against data breaches that could put security teams out of a job. The threat landscape for cybersecurity is constantly evolving, and considering it took the EU almost 20 years to update their previous data protection policy, it’s up to businesses to stay on top of the latest threats as they come to the fore.