The countdown is on. In just over eight months’ time, the General Data Protection Regulation (GDPR) will come into force and this will have huge implications for businesses – of all sizes and in all countries – which handle the personal data of EU citizens.
Billed as the largest piece of privacy legislation for 20 years, the GDPR isn’t merely a directive, but EU legislation enshrined in law. It has been designed to harmonise different laws to protect individuals’ privacy, giving consumers greater control and rights over their personal data. Individuals can request that businesses delete their information by exercising, their “right to be forgotten”. As such, there will be much stricter rules around consent; notification of data breach; mandatory privacy impact assessments, and the requirement for “privacy by design and by default”.
Failure to comply with the new regulation isn’t worth considering. Businesses could be hit with fines of up to four percent of annual worldwide turnover, or 20 million euros – whichever is greater.
Large corporates may be able to foot the bill, but such a sum could cripple a small or medium business. So it’s a surprise that only one in five of all European companies are prepared for the new legislation. The figure is probably lower still for companies based outside of the EU but still handle EU citizens’ data. What’s more, 52% don’t know the impact the GDPR will have on their organisations. For small businesses, this figure rises to 55%.
This year makes European Cyber Security Month the perfect time for businesses to get GDPR-ready. It may seem like a daunting task but there are a few steps businesses can take to ensure they are prepared:
Establish and assess how you deal with data
A thorough understanding of how your organisation deals with data is paramount. Under current rules, only data controllers are liable for compliance, but the GDPR obligations will fall on data handlers too. It is therefore important to establish whether your organisation is a data processor or a data controller, bearing in mind it could be both.
Knowing where data are stored, that location’s security, as well as determining whether those data are being shared will be critical, come May 2018.
Learn from the past
To check your capabilities in terms of reacting to a future attack, examine what has happened during past breaches and question whether the steps taken are capable of meeting the new requirements set by the GDPR. Under the new rules, breaches will need to be reported within 72 hours, together with information about the severity of the attack. If your company is unable to do so, that shortcoming may result in a hefty fine.
Appoint a data protection officer
This may be simple advice for a company with lots of money, but the added expense makes this off-putting for smaller businesses. However, it’s not as off-putting as being fined four percent of your revenue and might not need to be a full time responsibility.
The data protection officer acts independently and, reporting to the highest level of management, should help implement the requirements. Allocating further resources sooner rather than later will ensure your company is not only compliant but is equipped to deal with any data breach and mitigate the possibility of being fined.
Educate your staff, and yourself, on the rules
One of GDPR’s main aims is to strengthen the ability for people to be forgotten and have their data deleted. Companies will also have to gain “clear affirmative action” from individuals before processing their data. The rules also make it harder for children to hand over their data. Knowing how the rules change your organisation’s handling of consent, and the rights of individuals, is imperative.
Know your lead supervisory authority
The authority that handles any complaint against your company depends on where your company is based, not on the location of the individual raising the complaint. This can be difficult for companies that operate internationally, or even have multiple sites in different regions. There are also other directives in different countries that may go further than GDPR and that also need to be considered. You can read advice from the EU on finding your lead supervisory authority here.
With just eight months to go until the GDPR comes into force, businesses need to understand the GDPR fully and the steps they need to take to be compliant. The saying “By failing to prepare, you are preparing to fail” couldn’t be more applicable in this case. Take action now before it’s too late.
For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that when the time comes, you have everything covered.