6 things you need to know about GDPR
Businesses failing this Data Protection legislation will face severe penalties of up to 4% of worldwide turnover
General Data Protection Regulation (GDPR) is set to come into effect on 25 May 2018. UK businesses need to be ready or face severe consequences.
In November 2016, Tesco Bank fell victim to a cyber attack in which £2.5 million was stolen from the current accounts of 20,000 customers. If the Information Commissioner’s Office (ICO) finds Tesco failed to comply with measures to keep people’s personal data secure, they could face a fine of up to £500,000. Under the new regulations set out in the EU GDPR, the same fine could be set at £1.9 billion.
After May 2018, businesses failing this new strict data protection compliance regime will face severe penalties of up to 4% of worldwide turnover. GDPR means significant changes for all businesses that use or store the personal data of EU citizens.
“When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend,” said Nigel Hawthorn, the Chief European spokesperson at Skyhigh Networks.
Here are 6 things you need to know about GDPR to prepare.
1. Understand who GDPR applies to
Regardless of the location of your business, if you’re handling the data of European citizens, GDPR applies to you. Companies across the globe will be held to the exact same security standards.
This gives the European data protection authority the power to take action against any organisation breaching these regulations, regardless of geographic location.
Driven by the huge fines businesses face if they fail to meet the protection requirements, 70% of businesses are now expected to increase spending to address data protection and sovereignty, according to Ovum.
2. Understand what counts as personal data
GDPR will widen the definition of what constitutes personal data. The Data Protection Act 1998 (DPA) failed to recognise genetic and biometric information as personal data, while the GDPR does.
Under the EU GDPR, personal data will be defined as:
“Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation”.
This broad definition means almost all customer information now falls under the category of ‘personal data’. Your business must comprehend the significant changes in the incoming regulation, securing any and all data to avoid severe punishment.
3. Review your business’s Terms & Conditions
The GDPR regulation introduces new guidelines stressing the need for explicit individual consent before using a citizen’s data. Businesses will need to use simpler language when asking for consent, be clear on how the data will be used and understand that inactivity does not constitute consent. Lengthy and complicated terms and conditions which lack clarity will no longer be tolerated.
EU citizens will also have greater influence over what happens to their data. Including data erasure (commonly known as ‘the right to be forgotten’) and data portability (transmitting data to another controller).
GDPR also introduces the data minimisation principle, requiring organisations not to hold data for any longer than absolutely necessary. This law also prevents businesses from changing the use of data from what it was originally collected for – unless they request permission.
4. You’ll need to conduct Privacy Impact Assessments
The GDPR introduces the need for Privacy Impact Assessments (PIAs) for any project where privacy breach risks are high.
Your business can no longer begin projects involving personal information unless a privacy risk assessment has been conducted first. Your business must also work closely with a Data Protection Officer to ensure compliance throughout all projects
Your organisation must integrate security into the core of all projects, rather than it being a simple consideration.
5. You may need a Data Protection Officer
The EU GDPR removes the notion that regulations should relate to an organisation’s size or the number of employees.
If your organisation fits any of the three scenarios below, outlined in article 37, it’s mandatory that you appoint a Data Protection Officer (DPO). The core activities of the organisation involve:
- the processing of personal data by a public authority
- “regular and systematic monitoring of data subjects on a large scale”
- large-scale processing of special data—for example, biometric, genetic, geo-location,
The role of the DPO is to monitor organisational compliance to the regulations and report all and any findings to the highest management level. A study by the International Association of Privacy Professionals (IAPP) suggests that 75,000 DPOs will have to be appointed globally in the next two years.
This same study shows that staffing requirements are likely to present a big challenge to organisations that don’t hire or develop the skills quickly.
Organisations seeking to develop their new Data Protection Officers are supported by a number of industry-standard qualifications. This includes the CIPP/E and CIPM, which, when taken together, provide a structured introduction to the role of a DPO.
6. Reporting a breach – constant monitoring required
In addition to outlining how your businesses should secure their data, the GDPR also has strict regulations on how your business must respond in the event of a data breach.
This includes the common breach notification requirement, combining all breach notification laws across Europe under one definition, providing clarity on how your business reports a data breach. This notification law “requires organisations to notify the local data protection authority of a data breach within 72 hours of discovering it”
Considering Yahoo stumbled across one of the largest security breaches in history two years after it occurred, this law forces even the largest organisations to be more proactive in identifying and reporting incidents. If GDPR applies to your organisation, you’ll need to put in place tools and processes to monitor and create alerts in the event of an incident 24/7/365.
A note on small businesses
Although Article 30 of GDPR states that smaller firms (those with 250 employees or less) will not be strictly bound by the new Regulation - the extent to which your company is affected depends on the type of data you store, and how your process it.
If the data processing carried out by your small firm "is likely to result in a risk to the rights and freedoms of data subjects", is not occasional in nature, or involves very sensitive data, then the full scope of the GDPR does apply.
Time is running out...
You have just 12 months to prepare for the incoming GDPR. As outlined above, there must be significant changes to the way your business collects, handles, secures and shares data in May 2018 and beyond.
Once these regulations are introduced, your organisation won't get away with a minor fine for mishandling sensitive information. Failure to prepare will lead to severe, if not business-ending, financial consequences. Don't get caught out, start your GDPR readiness journey today.