GDPR is an acronym that has been doing the rounds for a couple of years now. It’s become even more visible in the last few weeks, thanks to the Facebook and Cambridge Analytica data hijacking scandal. And with the deadline date looming – 25 May 2018 – every organization on the planet needs to make sure their on top of things.
But what is GDPR exactly? And how is it going to affect you?
What is GDPR?
Before April, 2016, a data protection directive enforced in 1995 was in place. This governed all organisations that dealt with collecting, storing and processing data. This directive became outdated with rapidly evolving technological trends, which meant a revised directive was needed. In April 2016, the European Union drew up General Data Protection Regulation. It has been specifically created to to protect the personal data and privacy of European citizens. It’s important to note at this point that the directive doesn’t just apply to EU organizations – it applies to anyone who deals with data on EU citizens.
A relatively new genre of crime involving stealing data, has cropped up over the past decade. Data is so powerful, that its misuse could be devastating, possibly resulting in another world war. GDPR aims to set a new benchmark for the protection of consumer data rights by making organisations more accountable. Governed by GDPR, organisations will now be responsible for guarding every quantum of information that is connected to an individual, including IP addresses and web cookies!
Read more: Why GDPR is good for everyone.
Why should organizations bother with GDPR?
In December 2017, the RSA, one of the first cryptosystems and security organisations, surveyed 7,500 customers in France, Italy, Germany, the UK and the US, and the results were interesting. When asked what their main concern was, customers responded that lost passwords, banking information, passports and other important documents were their major concern. The more interesting part was that over 60% of the respondents said that in the event of a breach, they would blame the organisation that lost their data rather than the hacker.
If you work for or own a company that deals with the data of EU citizens, you’ll probably have GDPR on your radar. If you don’t comply, you’ll face a hefty fine – more on that below.
What kind of data are we talking about?
The GDPR aims to protect data related to identity information like name, physical address, sexual orientation and more. It also covers any ID numbers; IP addresses, cookies and RFID tags; genetic and any data related to health; biometric data like fingerprints, retina scans, etc; racial or ethnic data; political opinions.
Who must comply with GDPR?
You’ll be governed by GDPR if:
- You’re a company located in the EU
- You’re not located in the EU but you still process data of EU citizens
- You have more than 250 employees
- You have lesser than 250 employees but process data that could impact the rights and freedom of EU citizens
When does GDPR come into force?
In case you missed it in the first paragraph, GDPR comes into effect on 25 May 2018. If you’re not ready yet, now is the time to scramble to get things right and make sure you comply with GDPR regulations.
What if you don’t make the date?
Unlike an invitation to a birthday party, if you miss the date to comply with the GDPR, you’re likely to be fined to the tune of €20 million or 4% of the worldwide turnover of your company. A more relaxed fine includes €10 million or 2% of the worldwide turnover of your company, for misusing data in ways involving failure to report a data breach, failure to incorporate privacy by design and failure to ensure that data protection is applied at the initial stage of a project. It also includes the failure to hire a Data Protection Officer/Chief Data Officer, who has professional experience and knowledge of data protection laws that are proportionate to what the organisation carries out.
If it makes you feel any better, you’re not the only one. A report from Ovum states that more than 50% of the companies feel they’re most likely to be fined for non compliance.
How do you prepare for GDPR?
Well, here are a few honest steps that you could perform to ensure a successful compliance:
- Prepare to shell out between $1 million to $10 million to meet GDPR requirements
- Hire a DPO or a CDO who’s capable of handling all your data policies and migration
- Fully understand GDPR and its requirements
- Perform a risk assessment, understand what kind of data you store and what implications it might have
- Strategize to mitigate that risk
- Review/Create your data protection plan
- Plan for a 72 hour incident response system
- Implement internal plans and policies to ensure employees follow
For the third time then – time is running out! It’s imperative that you ensure your organisation complies with GDPR before the 25th of May, 2018. We’ll follow up with some more thoughts to help you make the shift, as well as give you more insight into this game changing regulation.
If you own or are part of an organisation that has migrated to comply with GDPR, please share some tips in the comments section below to help others still in the midst of the transition.