GDPR: Are You Ready for The Biggest Change to Data Protection Laws?
Hackers are no longer after social media accounts and email passwords. They are now after companies’ user data.
LinkedIn’s hacked database containing emails and passwords of 167 million accounts was on sale on the dark web for 5 bitcoin. The Heartland Payment Systems hack resulted in 134 million stolen credit card numbers and many fraudulent transactions. The consequences of the Equifax data breach exposing sensitive data of 143 millions of Americans are still unclear.
Information is now the world’s most valuable resource, leading to a cyber epidemic. Or tough data protection regulations such as the General Data Protection Regulation (GDPR).
Imposed by the European Union, GDPR is one of the biggest and strictest changes to data protection laws to date. It aims to have a consistent data protection law across the union, removing the need for national implementation.
Even if you have never heard of it or if you are outside of Europe, it can still affect your business. Non-compliance with the regulation can result in fines of up to 20 million euro. But complying with the regulation will require a significant amount of time to understand, plan, and implement new solutions.
And the enforcement day, 25 May 2018, is approaching soon, you better start preparing for GDPR as soon as possible.
Does GDPR apply to you?
Since it’s an EU regulation, you might assume that GDPR doesn’t apply to you if your organisation is outside the union. But if you process personal data of EU residents as part of your business activity then you should comply with the regulation, regardless of your company’s physical location.
The regulation also applies to all business sectors and companies of all sizes, not just corporate giants like Google, Facebook, or Amazon.
So if you hold any personal data that can identify a person such as full name, identification number, location, an IP address, then you must take certain steps to protect that data. Additionally, sensitive personal data (ethnical origin, political opinions, religious or philosophical beliefs, health, genetic or biometric data, criminal offence records).
If your company has fewer than 250 employees then there are some exceptions. Unlike larger businesses, you won’t be required to maintain records of data processing activities such as details of who is processing it or how long will it be kept.
However, this exception won’t apply to you if you’re processing data on a regular basis or if you’re dealing with racial, political, or genetic information that can pose a risk to the rights and freedoms of individuals.
Basic principles
A different approach to obtaining consent
Even without GDPR, you still have to obtain consent to process personal data. But the way this will be done under the new regulation is slightly different and more complicated. Pre-ticked boxes will not be considered a valid consent. Giving consent will require a statement or a clear affirmative action by the individual.
Freedom of choice is another requirement. The performance of a contract cannot depend on the processing of personal data. Unless its performance depends on this data, such as requiring an address for shipment of goods or a credit card number to complete a transaction.
Maximum transparency
GDPR gives EU residents the right to see what information you have collected on them, know how you are using it, as well as to edit it or have it deleted. This is where you need to invest most money to comply with the new law as otherwise, you might have to pay an 8-digit fine. You will also need to collect only necessary information and tell individuals what their personal data will be used for.
You should also review all your past data processing activities and ensure that you have a lawful basis for them.
Data protection and reporting security breaches without delay
You will need to have policies to protect data against breaches, including insider threats and accidental breaches that happen due to negligence. And then if a breach happens, you must report it without delay.
If Equifax was operating in the European Union and if GDPR was already enforced, the company probably wouldn’t have waited six weeks to notify its users that they are at risk of identity theft.
But this also puts a burden on organisations, as it’s difficult and time-consuming to estimate the consequences of security breaches, especially if they can destroy the reputation of a company.
How a virtual data room can help?
Understanding and complying with GDPR is complicated. There are many factors to consider and fines could be devastating, especially for smaller or medium-sized companies.
As we already mentioned in a previous article on 6 Ways a Virtual Data Room Can Transform Your Business, the virtual data room technology can give you the highest grade of security while helping you organise your documentation. Using it to store personal data can protect you from external threats.
As the most advanced virtual data room available, TrueDataShare guarantees maximum data protection through encryption, backup, hosting on some of the most secure data centres in the UK, and numerous other measures to prevent cybercrime.
When it comes to internal threats, you have the control and a full overview of who has access to certain information. This makes it easier to keep your employees responsible and accountable when it comes to processing personal data.
blog comments powered by Disqus