If you work in any kind of business that handles customer data then you ought to have heard about the General Data Protection Regulation (GDPR) by now, the European Union’s new directive designed to protect EU citizens from privacy and data breaches. If not then you certainly ought to be considering the impact it could have upon you and your business in less than a year.
Here’s why: Failure to comply with the GDPR could see you being fined four percent of your annual revenue or €20 million, depending on which is greater. Sounds a bit extreme and only something big businesses need to worry about? Think again.
If you handle customer data from within the EU then you have less than a year to comply with the new regulation. Failure to do so could put you out of business
Neill Lawson-Smith, Founder and Managing Director, Certified IBITG EU GDPR Practitioner
The GDPR comes into force on May 25, 2018 and affects any company wanting to do business within the EU or with member states. This would also include US firms handling the data of European citizens. So, that’s any company handling personal data or data that would identify a person. This might be your name, an email address, bank details, perhaps a photo or even a computer IP address. Oh and anything that counts as personal data under the Data Protection Act also qualifies as data under the GDPR. If you’re starting to scratch your head at this news, you're not alone.
Your next problem is identifying a breach if and when it occurs. That’s no mean feat by the way. Some businesses know they may not be able to do this in a timely manner and the smart ones may already have the right network security monitoring solutions in place. But just what does a network breach mean for you in terms of the GDPR?
Anything that is likely to ‘result in a risk for the rights and freedoms of individuals’ must be reported to customers and the data protection authority within 72 hours of first becoming aware of any breach. In the UK this is the Information Commissioner’s Office. Of course, it's also very likely that some firms will not know the true scale or implications of such a breach in the early stages. Even so, you must ensure that you have contacted the relevant party within the allotted timeframe, outlining the nature of the problem, the people affected and what measures you are taking to address this.
Of course there are numerous challenges to implementing all this and being assisted by a strategic partner with fully compliant data officers will help you turn the approaching legislation into something of an opportunity to improve the data protection processes you already have in place. At the same time, better understanding of the customer data you hold and should present other benefits for you as you begin to tailor new products and services.
Under the terms of the GDPR you’ll also need to have a dedicated Data Protection Officer (DPO) in place if your organisation is a public authority (except for courts acting in their judicial capacity), carries out large scale systematic monitoring of individuals, or large scale processing of special categories of data or data relating to criminal convictions and offences.
Unfortunately, GDPR compliance doesn’t happen overnight, so it’s vital processes are put in place now. This means getting to grips with the data you hold and understanding just what will be affected by the new legislation. Could you quickly find where specific data sets are held and who is responsible for them if necessary? What about Subject Access Requests (SARs)? Are you equipped to deal with individuals who want to see the information you hold about them? If the answer is ‘no’ and things seem a little cloudy, then you could be in trouble.
By putting the right processes in place and working with a strategic partner, rather than risking a huge fine, the journey to GDPR compliance could well be a valuable one for your business as you unlock data silos, better understand what you hold and ultimately improve security processes for both you and your customers.