After all the rumours, long debates, and heated discussions, the EU’s General Data Protection Regulations (GDPR) have been confirmed, and a date set for their enforcement.
In 2018, these comprehensive guidelines will underpin the way companies deal with, and protect, consumer information originating from the EU.
The consequences companies will face if they fail to adhere to the new regulations are going to be severe, to say the least.
EU officials have concluded that any company that refuse to comply with the new rules could be forced to pay a massive fine of up to €20 million, or four per cent of its annual turnover, whichever amounts to more. It’s a huge jump from the £400,000 fine imposed on Talk Talk by UK regulators, the highest recorded penalty to date for a data protection breach.
It may be an EU directive, but GDPR will affect any nation handling the personal data of customers residing within the European Union. So, despite Brexit, this will include all UK businesses who trade with 5,000 or more people within the EU, part of its extra-territoriality clause.
The regulations could also apply to firms in the US, where many high-profile organisations handle a great deal of personal data originating from EU member states.
The new rules will thrust cyber security into the limelight, forcing companies to accept responsibility for their security protocols, and putting consumers first. Much of the content within the new regulations focuses on the importance of consistent, up to date security measures.
With large scale data breaches becoming ever more commonplace, and the threat of significant infiltrations growing, these measures couldn’t come sooner enough.
GDPR will not only give EU residents a strong degree of protection; it will give them more of voice when it comes to deciding how their data is handled by the organisations that acquire it.
Many within the EU believed that the region’s existing rules on data protection, and the responsibilities that companies had to protect consumers, were weak and very much outdated. In fact, the current rulebook, the Data Protection Directive, is already two decades old, lagging far behind the climate for businesses trading online face today.
In 1996, while the Internet was still a fledgeling platform for most organisations, there was nothing like the quantity of personal data being handled and shared by companies operating online. The existing regulations call for a very low minimum standard of IT protection, meaning the level of commitment from country to country can fluctuate dramatically. GDPR will be a unifying force that bridges this inequality across EU member states and, in many cases, beyond.
The small print
So, what are the changes? Much of GDPR centres on consent. As well as broadening the definition of personal data to include any information that could be used to identify a person, the processes required to gain this information will become far stricter.
Individuals must be informed by companies exactly why any personal data is being collected, and, in turn, what it will be used for. An organisation can’t just harvest this information. Instead, consent has to be given in a clear and valid manner. On top of this, all businesses will have to gain parental consent before processing any data from a minor below the age of 16.
Individuals will also have more control over how much of their data is made available. A new clause states that not only will consumers be automatically given the right to request a duplicate of their information, but they can withdraw permission for its further distribution and analysis, for good.
What’s more, it will become illegal for any data to be kept permanently.
Another critical area of online protection that GDPR covers is security, for both data controllers, and data processors. Privacy impact assessments are set to become mandatory for all groups dealing with personal data originating from the EU.
By law, any breaches discovered will have to be reported to the relevant data protection authority within 72 hours. Larger breaches will require a business to contact consumers directly.
When the new legislations come into effect, it won’t just be big business who will have to foot the bill if a security breach leads to a data leak. For the first time, data processors will be legally responsible, as third parties, for any safety issues at their end too.
Although smaller than those faced by data controllers, penalties for not adhering to the new regulations could see data processing firms hit with fines up to €10 million.
Companies are also being forced to make security an intricate part of the design of their online presence. Any data no longer required must be disposed of, and in no instance retained for future reference.
For companies processing a large volume of sensitive data, for example, information on religion or race, it will become mandatory to employ a specialist data protection officer.
The whole GDPR process will be overseen and regulated by an EU-elected authority on data protection, a significant step away from the current bodies responsible for individual states.
GDPR isn’t going to come into effect until May 2018, but businesses will need to act now to avoid the heavy fines they will incur if their security systems are deemed insufficient when the new rules are introduced.
The first step is to evaluate the security systems they already have in place. It’s vital that companies take a long, hard look at the measures they have installed to ensure they meet the GDPR standard.
For those companies who fall below what is required, it’s time to invest in a serious IT security strategy.
At Gold Security, we have the expertise to ensure your online presence is as secure as it possibly can be, and that it remains that way permanently.
Providing each of our clients with a bespoke service, we will trawl your site hunting for any hidden weaknesses. After securing your site, we will give you the tools to monitor any potential breaches, catching them at source before they have the opportunity to cause any damage.
With these methods in place, your company will be able to tackle the challenges of GDPR head on.