“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” ~GDPR Article 5, clause 1(f).
From May 25, 2018, organizations will be dealing with penalized under General Data Protection Regulation (GDPR) if they violate its privacy laws. EU parliament approved and adopted the GDPR in April 2016 and it will be implemented next month, forcing numerous organizations to change their data protection policy. The deadline is May 25, 2018. It will also restrict companies from circulating data to the third parties to control unwanted marketing and reduce the risk of data selling.
What is GDPR?
GDPR is a regulation to protect the personal data and privacy of EU citizens for transactions within 28 member states of EU or even outside. It regulates the exportation of personal data outside EU. Also, it give users more control over how the organizations use their personal data. If companies fail to comply with the rules, they have to pay hefty penalties.
What all data does GDPR protect for the users?
Identity information like name, address and ID numbers
- Web data such as location, IP address, cookie data etc.
- Health data and genetic data
- Biometric data
- Racial data or ethnic data
- Political opinions
- Sexual orientation
Why did EU Parliament adopt this regulation?
The users in EU were doubtful on how companies treat their personal data, creating a mistrust in the users. According to the WARC survey, 85% users say they would boycott a company that showed disregard for protecting consumer data.
Are you under the risk of GDPR?
Any company that stores or processes personal information of EU citizens within EU states will drop under GDPR. Even if your company does not have a business presence within EU, but processes personal data of EU residents you are under the GDPR. A company with more than 250 employees or less, whose data processing impacts the freedom of data subjects will also be affected.
A survey from PwC showed that about 92% of the US companies consider GDPR a top data protection policy.
What will the General Data Protection Regulation cost your company?
According to a PwC survey mentioned above, 68% of the US-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9% expect to spend more than $10 million.
There’s a huge group of third party vendors that have access to this personal data across the globe. GDPR made it very clear that the companies need to ensure that all their third party vendors adhere to GDPR and process the data accordingly.
The client contract must reflect the regulatory changes such as:
- Regulatory fines: EU is long known about its willingness to levy steep fines for regulatory non-compliance. In case a data breach is reported, not having contracts in place might work drastically against the company.
- Operational: Have you decided the plan of action or the data flow with the third-party vendors? If not, it is not clear how you will be operating under GDPR.
- Vendor management: According to GDPR, you must know how your vendors operate, what security framework they use, and how they process the user data. Without such critical knowledge, you don’t know the risk they present.
Do your vendors present a transparent process when it comes to data processing? Does your contract clearly mention the data usage guidelines? If not, it is clearly an indication that you don’t know what your vendors are doing with the data, which leads to a larger management issue.
Implications to breach of contract:
In case of non-compliance with GDPR a company can be penalized up to €20 million or 4 percent of global annual turnover, whichever is higher. The question is how the penalties will be assessed?
According to the agreement, the regulators will swiftly act on a few companies found to be not in compliance with the GDPR to send out a message. This will help organizations to assess the penalties related to GDPR.
The companies must report data breaches to supervisory authorities and individual affected by a breach within 72 hours of threat detection. The GDPR requirements will also force the companies to change they way they process, store and protect user’s personal information.
Are you ready with a robust data protection framework?
Here is what you need to do:
- Involve all the stakeholders — Just IT cannot set-up a data security infrastructure. Get hold of anyone and everyone in your organization who collects client’s information.
- Conduct a session for all your stakeholders in the process — Explain your stakeholders what is the importance of GDPR and how can it make a change in the organization’s process. Tell about the consequences and how regulation can affect the company.
- Create a data protection plan — Many companies have already created a data protection plan, but it’s time to review them once again.
Mobile-first VS GDPR — Mobile devices are one of the major hurdles setting up a strong security framework. According to a survey of IT and security executives by Lookout, Inc., 63% of employees access personally identifiable information (PII) of customer, partner, and employee, using mobile devices. This creates a gap, making unique set of risks for GDPR non-compliance.
Companies facing GDPR compliance requirements must look for viable mobile threat defence solutions to protect EU PII, enabling them to achieve risk mitigation. This requires few steps:
- Identify risks on EU data that mobile devices can present
- Implement risk-based conditional access policies
- Prepare GDPR’s “72 hours threat notification” process
- Apply powerful security features around data transfer.
If your organization is on a growth stage focusing on clients based in EU, you surely need to work a lot on your security framework.
Still thinking where to start from for the GDPR compliance? We can help you out.
Get in touch with us here. Take the next step before it’s too late.