Starting May 25, the way companies operating within the European Union (EU) handle data will undergo a radical change. In the wake of some high-profile cases across the world that have seen the confidential data of millions of consumers fall into the hands of hackers and other cybercriminals, European lawmakers have decided that a more unified and structured approach is necessary to ensure that such security failings are less likely to occur.
Approved back in April 2016, the General Data Protection Regulation (GDPR) is designed to fulfill three key objectives:
- Harmonize data privacy laws across Europe
- Protect and empower all EU citizens’ data privacy
- Reshape the way organizations across the region approach data privacy
Taking the place of the Data Protection Act of 1998, which is now obsolete due to the emergence of technologies such as cloud storage, GDPR will affect two primary groups – data controllers (those who collect data) and data processors (those who process data and use it for their own ends). As for what data GDPR applies to in particular, it constitutes IP addresses and “economic, cultural and mental health information” – part of one’s overall personally identifiable information.
In order to comply with the new legislation, there are a number of aspects for these two groups to consider.
How Data Is Collected
Going forward, data controllers must ensure that they are fully transparent as to how they handle their users’ data. Information can only be collected for a specific and clearly defined purpose and cannot be repurposed for other means. Those who have their data collected can also request at any time for it to be deleted from the system, and it is the responsibility of the collector to act upon this request.
What Consent Is Required?
Currently, many websites operate in a way that sees them automatically harvest user data unless the user actively seeks out the option to decline it being collected in such a way. Once GDPR takes effect, though, the opposite will be true, and users will have to actively give their consent to be recorded and be able to withdraw this whenever they want.
Furthermore, users can request access to their data, which must be presented within a month of asking. This will give people the opportunity to see how their data is being stored and ask for any amendments to be made if needed.
What if a Breach Still Occurs?
Should a breach occur, the victims will have 72 hours to inform the relevant authorities, which in the United Kingdom will be the Information Commissioner’s Office. Once contact has been made, a report will need to be filed describing the nature of the breach and how many people may be at risk, what the repercussions might be and what the company’s plan is to rectify the matter.
Failing to declare that you’ve been impacted can lead to financial penalties for large corporations of €20 million, or 4 percent of one’s global annual revenue – whichever is the higher figure.
How to Comply With GDPR
Between now and May, the first step for businesses to take should be to review any policies already in place to do with data collection and handling and adjust accordingly. Dedicated staff members may have to be trained to oversee constant compliance, or extra recruits will have to be taken onboard with the skill set to handle such sensitive inner company workings.
Lastly, from the perspective of data controllers, it’s highly recommended that they make contact with any other businesses they have extended dealings with to make sure they are also doing their bit to comply with GDPR.
It would be a terrible shame to invest so much time, money and manpower into compliance only to have a third party bring it all tumbling down. It pays to have the conversation with them when around 84 percent of small business owners were found to not know about the upcoming changes last year. Share your knowledge with them and ensure that all of your relationships with both stakeholders and customers are underpinned by an equal commitment to data protection and user confidentiality.
About the Author
This article was contributed on behalf of Cheeky Munkey, providers of IT support services to companies within London and the surrounding counties.