This Friday (May 25, 2018) marks the final deadline for all organizations to be in compliance with GDPR before major consequences are enforced. As this historic legislation impacts most companies worldwide, you should know the following most important things about GDPR.
1. What is GDPR?
The GDPR (General Data Protection Regulation) is a regulation intended to strengthen the protection of personal data for the European Union (EU) citizens. It is the first comprehensive overhaul and replacement of data protection legislation from the EU in over twenty years. The purpose of the GDPR is to give citizens back control of their personal data and impose stricter data privacy and security requirements on organizations.
2. Why is This Happening?
GDPR seeks to expand and update rules that have been in place since 1995 and unify a patchwork of different laws into one piece of legislation.
The EU said the new rules are necessary to protect consumers in an era of huge cyber-attacks and data leaks. They aren’t wrong. In the last few years, cybercrime has skyrocketed and is not showing signs of slowing down. In fact, the total cost of cybercrime in 2017 exceeded 600 billion dollars according to the Center for Strategic and International Studies.
3. Who Needs to be in Compliance with GDPR?
Any organization that communicates with citizens in the EU. The GDPR encourages companies to be more reliable, transparent and responsible for the data they retain. In fact, any organization that stores or processes the personal information of EU residents will be required to comply with the new rules.
4. What Does This Mean for Consumers?
Every EU resident has the right to verify what of their data is stored and by whom. Too often, in fact, users have little or no knowledge of the methods in which their data is recorded, analyzed and shared.
5. What Types of Data do Companies Want?
Collected data for marketing is broad. It can include email addresses, phone numbers, employer information, job title, etc. If the user withdraws consent of their data, the administrator/company must remove that user from any mailing lists or subscriptions. Email addresses are the primary pieces of data that will impact the way in which companies will create awareness and contact new or existing consumers.
6. Can Companies Who Already Have Someone’s Data, Use It?
The GDPR requires the owners to give consent at the time data is collected. Then, backup copies and emails containing personal data that companies must manage according to the rules of the GDPR are made to protect personal data offsite in the event of a breach or attack. It is quite normal for companies to have a dozen or more copies of each backup.
With current technology there is no way to delete personal information from the backup and companies are allowed to keep the data on the backup, even if the individual has exercised the right to be deleted.
7. How can Companies Comply with GDPR?
One of the main requirements for the regulations to be met is that “the controller must be responsible and be able to demonstrate compliance with the principles”. From a compliance perspective, regular tests on the backup and recovery system and data protection reporting are a good way for the DPO (Data Protection Officer) to demonstrate compliance with the law and enforce data protection.
The teams responsible for managing backup and email data need very powerful, yet easy-to-use tools that enable them to quickly identify information and remove it from the systems.
8. Does This Mean Information is Safe from a Data Breach?
Businesses must ensure an adequate breach response by the end of May. Companies must perform dry-run scenarios prior with their security teams so that in a real situation of a data breach, the company is able to alert the relevant authorities within 72 hours. While data can still be compromised, the quicker the response from the company, the less harm can be done with stolen data.
9. What Happens if Companies Fail to Comply with GDPR?
Extremely large financial penalties. European regulators can fine companies up to 4 percent of annual global sales, which for the big tech firms could run into billions of dollars. Penalties for smaller firms would be capped at €20 million (approximately $23.5 million).
Next steps for organizations once they reach full understanding of the GDPR is to identify how this new legislation will impact them and the appropriate course of action that must be taken. Introduce these as quickly as possible so you can start educating your workforce about them.