Heralded as “a major step forward for consumer protection”, the EU General Data Protection Regulation (GDPR) became law earlier this year and defines a single set of rules across the EU to protect the sovereign privacy rights of individuals. But what does it mean? And why do we need to take it seriously?
1. Very Substantial Financial Penalties
Even without any supposition or accusation of deliberate misuse of personal data, the introduction of GDPR places an even greater onus on your organisation to safeguard personal data from accidental disclosure and cyber attacks. If you fail to take the proper steps the limits on penalties for a breach are much larger than previously, with maximum fines of up to €20m or 4% of annual worldwide turnover - whichever is greater.
2. You can Outsource Risk - but Not Responsibility
The new rules also make clear another important factor: if you use a third-party provider to store or handle data – such as a cloud provider – you are still responsible for the correct handling and protection of personal data and must be able to demonstrate how the data is protected at all times. Therefore, formal privacy-by-design techniques need to make their way down your supply chain in order to avoid penalties and extremely challenging incident identification and response issues.
3. Peoples Personal Data must be Transparent
You now have to provide individuals with online access to any personal data that you store about them. Whilst the Data Protection Act traditionally allowed anyone to request access to their data, with GDPR, organisations must make this data available for download ‘where possible’ and ‘without undue delay’. This is a very significant change. In addition, making these online data requests secure (again in line with stricter GDPR requirements) will present a significant challenge to many organisations and will require adoption of robust cybersecurity technologies and processes.
With the risk of hefty fines for firms that leak personal data, along with the reputational damage and resulting revenue hits following a data breach, cybersecurity is now a board-level issue with significant consequences if not properly addressed.
If your firm has been turning a blind eye to cybersecurity, now is the time to begin taking this critical issue seriously. GDPR is a game changer that well and truly puts the onus on YOU to get your house in order. And the clock is ticking…