Save the date. On 25th May 2018, the long-awaited EU General Data Protection Regulation (GDPR) will come into force.
With many firms unaware of what this means for their organisation, Martyn Ryder, VP Sales and Marketing, sat down with NW Security’s Senior Consultant and GDPR Practitioner, Nigel Peers in the UK to examine the regulation’s core principles.
MR: Many businesses are still wondering if GDPR has anything to do with them. Who will the new legislation effect?
NP: You’re right, it’s a question that has resonated in boardrooms across Europe over the last 18 months with increasing intensity: “what does GDPR mean for my business?” The answer is quite a lot, if your business is holding Personally Identifiable Information (PII), as many do. New, smart technologies have resulted in a proliferation of data in businesses of all sizes, which has meant current data protection laws required some adjusting. Put simply, the GDPR is an updated version of Europe’s current data protection regulations and aims to ensure the security and protection of PII. If your company stores personal data, then GDPR applies to you.
MR: So how should businesses go about preparing for GDPR?
NP: If you haven’t begun preparations, or if you are unsure how the regulation may impact your business, now is without doubt the time to start reviewing your data protection processes. Failure to comply with the new regulations could result in large fines, such as €20m, or 4% of a company’s annual turnover, whichever is greater. The reputational damage of non-compliance could also be catastrophic. Many of the data protection regulation’s core principles still apply, such as what data a business holds and where it came from, so if you’re up to speed with this, hopefully it won’t be a huge stepping stone to get to grips with GDPR.
MR: And what are the key differences between the current data protection regulations and the GDPR?
NP: We have identified four, key top-level differences. These are:
- Accountability - While under the original laws the responsibility for a breach sat primarily with the controller, under the new legislation this now sits with the controllers and Firms must therefore begin looking beyond their four walls to ensure complete protection. For example, are a company’s suppliers also ensuring the technology or service they provide is adequately secured?
- Consent - Some organisations may have become complacent regarding consent under the data protection regulations, utilising personal data in a way that wasn’t originally intended when the data was first collected. It is vital businesses ask themselves:
- Has the original purpose for having the data changed?
- Are there any secondary reasons for data use that have arisen since the original purpose?
- Has the data been shared with third parties since it was initially obtained?
If any of the answers to the above questions is yes, the company may be in breach of the GDPR if the data subjects have not been kept informed of the changes in use, or the third parties are not GDPR-compliant.
- Territorial scope – The GDPR doesn’t only apply to those trading within the EU. International trading also applies if the data relates to an EU citizen residing in any member state. Furthermore, the regulations will still apply in the United Kingdom, despite the country’s decision to exit the EU.
- Privacy notices – There is a requirement for any business to inform data subjects of their rights and inform them of how their data is being utilised. They must also advise those potentially affected by a data breach within a certain time frame.
MR: Thanks Nigel!