Doing business with the EU just got a bit trickier. Here’s what you need to do to prepare as the Union’s new data privacy laws go into effect.
The General Data Protection Regulation (GDPR) is a unified set of data privacy laws created to protect the data integrity of people living in the European Union. The regulation brings new changes to Europe’s data regulatory framework that has been around since the mid-1990s.
One of the biggest shifts is that these policies will now apply not only to businesses within the EU, but any business around the world that comes into contact with the personal information of EU citizens.
Will you be impacted by the GDPR?
If your company collects “any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person…. anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address,” then the answer is yes.
In other words, if your company processes and holds any personally identifying information (PII) on residents of the EU, you are required to adhere to all GDPR regulations, regardless of your location.
Some other key changes include:
1. Increased Scope: The GDPR has extended its jurisdiction to include “all companies processing the personal data of subjects residing inside the Union, regardless of the company’s location.” Companies operating outside of the Union that offer goods or services to EU citizens or monitor activities within the Union will also have to appoint an EU representative.
2. Increased Penalties: Fines for breaching the GDPR are relative to the seriousness of the infringement. The most serious breaches may lead either to a fine of 4% annual global turnover or 20 million euros — whichever is higher.
3. Stricter Conditions for Consent: To avoid any ambiguity, consent must be “provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.” Sensitive data requires “explicit” consent, while non-sensitive data requires “unambiguous” consent.
4. Additional Data Subject Rights: Data subjects have the right to be notified when a data breach occurs or when their data is being collected (and why), the right to have their data erased from storage once it stops being useful, and other new rights granted by the GDPR.
The new regulation will be implemented on May 25, 2018, but according to a survey conducted by the London Chamber of Commerce and Industry, only 16% of London businesses say they’re prepared.
Naturally, the numbers are even lower in the U.S. and other countries outside of the EU. A majority of companies in the U.S. don’t know that GDPR regulations are more strict than most state regulations. All that needs to change if these businesses don’t want the book thrown at them after May 25th of this year.
Educate: First of all, it’s important to ensure you really understand the GDPR. You should know the difference between data “controllers” and data “processors,” for example. Not just leadership, but all employees should be educated about all relevant regulations to help establish a culture of accountability and transparency in your company.
Assess: Legal, compliance, and IT experts should come together to map out a comprehensive inventory of your company’s data. This way, you can determine which data is under legal stipulations in your state, in your country, and under international laws like the GDPR.
Protect: Ensure the data you collect is protected — if possible, with multi-layer encryption.
Implement Necessary Measures: If your company falls under one or more of these categories: “(a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data,” you’re required to appoint a Data Protection Officer (DPO) to ensure you’re in compliance with regulations.
Keep Up: A few controversial topics among EU nations will likely be debated in the coming months that may modify the current GDPR, so make sure to follow these debates closely.
Your company has a responsibility to protect all the personal data it collects — even huge enterprises can be vulnerable if they don’t properly protect their customers’ information. With cybercrime at an all-time high, it’s important that your enterprise is doing everything it can to protect its digital assets.
At Turn-key Technologies (TTI), we have over two decades of industry-leading experience in high-level data protection. The best thing you can do to ensure new GDPR compliance is to create true network security. Our range of networking solutions empower us to reinforce your network’s structure and deliver the highest level of security, while optimizing efficiency and speed in the process. By partnering with TTI, you’re keeping your clients safe, protecting the integrity of your enterprise, and improving the performance of your network.