In May 2018 the European Parliament will roll out a brand new data protection regulation stricter than any that has been around previously. Companies will be expected to have extensive knowledge of the data they hold on individuals.
Failure to comply with this new legislation can result in huge fines.
The General Data Protection Regulation (GDPR) will replace the exisiting Data Protection Act 1998 to bring data protection in line with the technological advancements over the past decades. For a general overview of the GDPR legislation, you can find it here.
Although the rules are clearly stated, many organisatons have been left confused on how to comply with new rules. We have rounded up some main points that we think will help businesses comply and save them hefty fines.
Will you be affected?
The GDPR will be relevant to any entity that has customers or partners in the EU. This means even if your business isn't based within the EU, if you trade with anyone or hold any customers data who resides in the EU, you are bond by GDPR.
This act will effect organisations worldwide. With fines based on annual turnover and a minimum of $10 mill, it's important to properly understand if your business will be liable.
The fines are as follows:
For minor breaches, expect to see fines of up to 2% of annual worldwide turnover or $10 million, whichever is greater.
Major breaches will see an upper limit of fines up to 4% annual turnover or $20 million.
These fines are enough to put even large, global corporations out of business so compliance is of absolutue importance.
To get started on compliance and avoid these nasty costs, the below guidelines can help you prepare.
In regards to individuals personal data, businesses must know exacly where the information is stored. This means that it is wise to keep track of anything processes if you are a smaller organisation.
For larger entities (anything with 250 employees plus) must keep auditable records of any personal data that has been processed. Additioanl, if information goes out of the European Economic area, a data transfer agreement is required.
The main reason for needing auditable records is to prove compliance. By doing this, your busienss will be in good stead for the Accountability section.
For personal data, technical tools that help with the information are invaluble. Any programmes that help with recording data should be used.
When data is no longer needed, GDPR requires it be deleted which is when tenical programmes also come in usuful.
New and improved rights
Once the GDPR comes into play, individuals will have more rights to their data than ever seen before.
The regualtion aims to give complete transparancy and control. Individuals will have the right to have a copy of any personal data held on them. In addition to this, they also are in their rights to demand erasure and correction of data.
These requests come with time limits. Upon the request of a copy, erasure or correction of data, the business must have it filed in a resonable timeframe.
Depending on the request, business must have it completed within one month. However, for bespoke details, there is the right to appeal for a longer time frame.
Similar to the previous point, auditable logs will take much of the pressure off and allow a quicker reponse by knowling exactly where the data is.
It's recomended to create procedures for this instant so that employees have clear instructions on how to respond. They should be trained on where data is stored and have clear details on how to mark disclosed, deleted, corrected and restricted data.
Adequate Data Protection
It goes without saying that other peoples (and of course your own) data should be protected to the best of your ability.
Once the GDPR has come into place this will be a law and heavy fines will be dealt on failure to properly protect data.
Chances are you already have saftey measures in (or we hope you do anyway) this includes the typical anti-virus/anti-spyware and next generation firewalls that can scan encrypted traffic. An additional step that should be taken to ensure data is well secured is to conduct an analysis of your data security.
You may think your system is well secured and all information is secure, however, Just Firewalls has seen many businesses with the most comprehensive security strategy find blind spots and weaknesses they didn't know about.
By knowing your weaknesses you can build on them to create an all-round secure system.
By having a resiliant system, you lessen you chances of recieving the fines that will very possibly destroy many businesses who fail to comply once the GDPR is in place.
The GDPR is one of the most profound regulations to come into force regarding data protection and technology. The comprehensive act will require a great deal of work for businesses to put in precedures and more inportantly train staff.
Although it won't be put in place until 2017, the time to start getting ready is now.