So you’ve probably heard of the General Data Protection Regulation, otherwise known as GDPR, which is an EU effort to improve, tighten and extend security regulation across Europe.
What you might not have considered is how this new legislation will affect your business. The most important thing about the GDPR is that it applies to any company using any kind of personal data on EU citizens. That means that for the vast majority of US and UK firms that operate on an international scale, they must now be compliant with the regulation.
UK-based businesses cannot afford to ignore GDPR despite the fact the country has voted to leave the EU.Dr Kuan Hon, Cybersecurity expert
These businesses need to to adjust to the new rules by 2018, or can face huge fines. The maximum penalty that UK firms will now face is forty times larger than the Data Protection Act, which is the existing framework.
To avoid disrupting the company too much with major last minute changes, and incurring substantial costs in the process, it is vital that businesses operating in the EU take steps now to move towards compliance with the GDPR. Waiting until early 2018 or even late 2017 will be too late.Annabelle Richard, data protection expert
Here are six things you should make sure you’re ready for when the GDPR comes into effect.
1 More kinds of data
Fundamentally, the GDPR applies to ‘personal data’. This description makes it clear that it encompasses anything that includes any kind of online identifier, meaning the new scope for what constitutes as personal data is far greater than before. An IP address or geolocation data are both considered personal data in the GDPR rule book. This even applies to personal data that has been pseudonymised, if the company is not careful about how easy it is to attribute this to particular individuals
2 Extended definition of breaches
While previously a breach was focused on events that involved the ‘loss’ of personal data, the new legislation considers a security breach to include the destruction, loss, alteration, unauthorised disclosure of, or even access to, personal data. The range of events that fall under the remit of the GDPR is far greater than ever before.
3 Lower threshold for severity
Under existing law in the UK, breaches are only penalised if it can be demonstrated that those who have had their personal data exposed have received actual harm or financial loss as a result. The GDPR instead broadens this to any kind of distress, meaning far more security events will soon be under scrutiny.
4 Being unprepared can result in fines
One of the biggest changes that GDPR will bring is that fines can apply even to situations in which a breach has not occurred. The Supervisory Authority in the UK will be able to penalise any business that fails to observe the principles of the GDPR. That will most likely mean that punishments can be given to non-compliant organisations, even if no security event has taken place.
5 Less time than before
The GDPR is also stricter on how long companies have to alert the authorities in the case of a breach. There will be a compulsory requirement to inform the Supervisory Authority no longer than 24-72 hours following a breach. Falling foul of this deadline could result in the full administrative penalty of 4% of turnover.
6 It applies everywhere
The GDPR is applicable to any company that holds personal data on citizens in the EU. Almost every global organisation should be preparing itself for the new legislation, and introduce new measures to ensure compliance.