May 25, 2018 will mark a “before and after” in the field of data protection legislation. That day will see Europe’s GDPR (General Data Protection Regulation) come into effect. Although the date of its entry into force was 25 May 2016, when the two-year transition period stipulated by the legislation is up, any company that violates the requirements of this regulation will face fines of up to 20 million euros. And it won’t be just the IT department of your company that will have to tailor their activities to the new law — HR, Legal, and Marketing, to mention a few, will also be directly involved. One of the fundamental steps to be taken for the GDPR is to make companies aware that this is not just an IT issue.
In this post you will find the answer to four fundamental questions about the GDPR. First of all…
1 What is the GDPR?
The main objective of this new regulation is to protect the personal data of citizens of the European Union and to control how companies and institutions process, store, and use that data. The new legislation replaces the Data Protection Directive of 1995 to adapt to the current climate, while synchronizing and unifying the specific legislation of each country. Its nature as a regulation makes it directly binding.
The GDPR seeks to give control over personal data back to EU citizens, with strict rules that eliminate the ambiguities of the previous directive and of the specific legislations of each country. Among the rights granted to citizens are the right of access (individuals may require an organization to provide information on whether they store their personal data, where, and for what purpose), the right to be forgotten (an individual may request that personal data be deleted for any reason) or the right to data portability (a person may request personal data from a person or company in a format that allows you to transfer that data to another company).
2 Will the GDPR affect my business?
If you process and store the personal data of residents in the European Union, no matter where your company is located, then the answer is yes. The new regulation does not apply only to organizations located in the EU. This is a fundamental point to keep in mind, and, as this study from Spiceworks shows, very few US companies that will need to adhere to the GDPR are prepared to do so. Only 5% of US IT managers say they have started to prepare for the GDPR. Moreover, most are not even worried about the serious economic damage that their company could suffer if they breach the regulation: only 10% fear a fine.
3 How do I comply with GDPR?
The new regulation will require a greater level of commitment from both public and private organizations to managing and protecting personal data. One of the key points is the role that “active responsibility” will play, putting greater emphasis on the prevention of any incident that might affect personal data. The regulation states that taking action when an offense has already been committed is inadequate, as such an offense could cause damages to affected parties that would be difficult to compensate for.
Companies will be required to demonstrate that they are able to comply with the GDPR. They will be expected, for example, to be able to perform internal audits to check the security status of their systems, maintain data processing records, have appropriate tools to report security incidents in less than 72 hours, review privacy policies, implement mechanisms to reduce the risk of falling victim of an attack, and evaluate risk indicators on an ongoing basis.
Companies that have put their trust in Adaptive Defense already have a head start on the GDPR, as this solution has the tools necessary to implement all these measures of prevention and protection.
4 What happens if I breach the GDPR?
Fines for breaching the new regulation will be substantial, reaching up to 20 million euros or the equivalent of 4% of the company’s annual global turnover, whichever is greater. These maximum penalties will be levied in the event that a company commits a very serious infringement, such as not having an individual’s consent before processing her data.
And there’s more to it than the potential financial impact of hefty fines, or even the possibility of being required to compensate natural persons whose privacy is violated. Reputational damages could be severe and result in the loss of current or potential clients.
Although there are still several months ahead until the GDPR becomes mandatory, there’s no time to rest on our laurels. The clock is ticking.
You can find more information on complying with the new regulations in our “Preparation Guide to the New European General Data Protection Regulation”.