As we’re now within days of the nervously anticipated General Data Protection Regulation (GDPR) going into effect, it seems like a harsh choice to choose between complying with the terms or being prepared to pay. That’s what has companies nervous – particularly small to midsize companies who don’t have the big budgets of large enterprises.
EU Website Resource
For those who are rapidly trying to get a handle on the details, the European Commission (EC) has published a number of advisories and a website to assist companies in their preparations: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
What the GDPR Requires
The GDPR goes much farther than the existing 1995 European Union privacy laws, broadening them in scope, in who’s obligated to abide by them and the penalties for not doing so. All companies doing business in the EU and all companies that “control” or “process” personal data of European consumers, even if these companies are not physically in the EU, must abide by the regulations or face the law’s consequences.
Written Consent from EU Citizens to Use Their Data Is Now Required
In the GDPR, companies who handle European consumer data must have written consent from consumers to collect and use their data and the use must be only for a legitimate business purpose. The prior EU 1995 data protection direction allowed a more casual opt-out model of acceptance from consumers, but now, consumers must purposefully opt in. They can withdraw their consent at any time. When this happens, or if the business purpose for which the data was initially collected is complete or no longer applicable, the company must delete the data.
A key objective behind the regulation is to ensure consumers have more rights to control their personal information, i.e., who is allowed to have it, what can be done with it and when and to have it removed when desired.
Companies are on the hook to follow regulations when handling European consumers’ personal information, whether it’s in paper or electronic form, and extends to whomever they share the information with – partners, vendors, suppliers. This includes cloud-based data and how it’s managed online. Companies must keep detailed records of all of processes, activities and transactions and be able to make the records available if requested by officials.
If a Data Breach Happens
The GDPR requires companies to let EU regulators know within 72 hours if a breach has occurred, even if all the relevant information isn’t yet known. They want to know the nature of the incident, how many people affected, possible consequences for them and steps the company is taking to respond.
Consequences for failing to disclose can cause the hair to rise on the back of one’s neck. The penalty for not disclosing the breach can be as high as 2% of the company’s annual global revenue or 10,000,000 euros (over $12,000,000), whichever is higher. If a company fails to comply in certain areas, the penalties could double.
To put this another way, if the GDPR had been in effect over the last 5 years, FTSE companies that experienced a data breach, would collectively have faced fines of more than 25 billion euros (close to $30 billion)*.
Steps to Take?
Likely you’ve already got yoru plans in place. The list of details is lengthy but, while not exhaustive, good places to start include:
—Beginning with assessing your data. You must know what you have on your European customers and prospects (in your databases, on your email lists, etc.), if it’s necessary and if so, what you’re doing with it.
—Critical to know is whether you have documented consent (not just a passive opt in) to have the information and be using it. If you don’t know or aren’t sure, find out.
—Have qualified people – a chief security or data officer or the like – familiar with privacy regulations to work on your team.
—Make sure you have steps in place to avoid a data breach and develop or enhance a plan of action in case one happens anyway.
—Have a budget – for staff and resources so you can avoid the threat of penalties.
—Be well informed of third parties you work with and what data they may house, process, work with or otherwise be exposed to – even old data – because as the owner of the information, you bear all (100%) responsibility for what happens to the data, not them.
—Check out the EU’s GDPR website resources: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
—Take advantage of the resources your vendors make available. Companies like Google, Hubspot, Box, email providers, and so on, have been investing in this for months. While they cannot assume responsibility for you as noted above, they also are on the hook to comply and have considerable resources available to provide a good deal of resources, tools and guidance.
—Keep working at it. You may not be 100% ready by May 25 and chances are good you’re not alone. But every day of progress improves your standing and reduces your risk.
First and Foremost, Protect Your Data
Data that’s secured from theft and misuse protects you from violations. For information on better protecting your applications and data from a breach, including unpatched vulnerabilities and unknown threats see our company overview and datasheet, or browse our additional resources.