GDPR – General Data Protection Regulation EU’s New Standard for Consumer Privacy
In April 2016, the EU decided it was time to update their current Data Protection Directive which became the standard in 1995. The outdated policy did not offer residents the level of protection so desperately needed in a world where information is available at the click of a button. The new General Data Protection Regulation (GDPR) sets a stricter guideline and stiffer penalties for those in non-compliance.
GDPR’s requirements change significantly from the outdated directive of the 1990’s. The new rules focus on getting companies to follow stricter handling practices for customer data collected, specifically the following areas.
- Removal: In the past, customers did not have the right to require companies to remove and delete their information. GDPR requires businesses to remove any consumer records upon their request. Corporations must wipe all personal information from their systems.
- Portability: In addition to being able to request a removal from company databases, consumers have the right to ask their personal data be transferred from one company to another. Corporations must comply with the request.
- Accessibility: EU residents have a legal right to request access to the information collected by companies with which they do business. Corporations must provide copies of all data collected upon request.
- Transparency: Gone are the complicated end user releases used by companies. GDPR requires that businesses make their language easy to understand and detail exactly how they use personal consumer data.
In addition to these areas, companies must adopt stricter breach notification policies. In the event of a data breach, corporations must notify their customers within 72 hours of the intrusion.
Increased Fines – GDPR
Under the new GDPR system, companies found in non-compliance with the regulations face stiff fines. While the penalties are tiered, it still costs a significant amount for those affected. Companies who do not keep their paperwork in order may see a penalty 2% of their annual global turnover. However, if a company experiences a security breach, they see fines of up to 4% of their annual worldwide turnover or €20 Million, whichever is greater.
Fining companies experiencing security breaches is not unheard of under old EU policy. However, a loophole protected businesses that process data to another firm. New regulations do away with this protection. According to Article 32 of the GDPR, data processors are just as liable for security as controllers. Corporations that process data receive a smaller penalty, under the new regulation with fines of 2% of the annual global turnover of €10 Million, whichever is greater.
Data Recovery and Security
All EU companies must employ a disaster recovery plan. GDPR not only requires a plan in place, but companies must also test it at regular intervals. Under these new protocols, the data recovery plans must give companies the ability to restore any information lost due to technological or physical issues.
Companies must instill policies which restrict access suppliers and staff have to consumer information. Policies are just the beginning, management technology such as multi-factor authentication, granular passwords, and role-based privileges need to be in place.
While Windows is one of the most popular operating systems, as a North American based company, EU corporations cannot rely on built-in securities to bring their business into compliance. Instead, using third-party intrusion detection systems and virtual private networks can help bring EU corporations into line with the new rules.
In the event of a breach, quick response is necessary. Regulations require not just an immediate response to fix the issue, but also a plan of action to prevent future violations. An analysis log and subsequent management assist IT personnel in locating the source of the breach. The record gives insight into why the violation occurred and is a starting point for problem resolution.
Not Just Limited to EU
EU residents expect the same protection whether their data is collected and retained by a local company or a foreign entity. Corporations outside of the EU should review data protection and privacy policies to ensure they match up with GDPR standards. Hiring a Chief Protection Officer (CPO) familiar with GDPR requirements can consult with legal counsel and help others in the company understand legal obligations to EU clientele.
GDPR is the standard for consumer privacy in the EU. However, companies still have time to adapt these protocols before they face the hefty penalties called for under the new guidelines. With a deadline of May 25, 2018 looming, it is time for businesses to complete their updates to comply and not wait until the last minute to do so.
For more information read our blog post on: The Importance of Regional Data Centers for Office 365 Backup