The new General Data Protection Regulations (GDPR) come into effect on May 25. This is the biggest change to Europe's data protection rules in 20 years, and despite the fact that the UK is preparing to Brexit, we will still have to abide by the new rules until 2019.
All businesses that hold data on EU citizens will be affected. This includes employees and customers. Businesses are already required to protect sensitive data, but the cost of non-compliance has been substantially increased, with maximum fines of €20 million.
What is GDPR?
GDPR was debated for four years before finally being approved by the EU Parliament in April 2016. The GDPR is intended to replace Data Protection Directive 95/46/EC, "to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy."
Data protection compliance is no longer as easy as it once was. There are new rules and regulations being put in place, to bring the legislation in line with cyber threats and emerging technology. The main focus of the legislation is the implementation of secure data management and processing. If you hold data in the cloud, you will need to ensure there are adequate safeguards in place.
Some businesses may need to allocate more funds to safeguard sensitive data. For example, fintech start-ups who manage significant quantities of data to help them deliver financial products are likely to be greatly affected by the GDPR legislation - any firm involved in the financial markets via day trading or online trading platforms will need to examine the new regulations very closely, as a compliance failure could be disastrous.
How will GDPR affect my business?
The territorial scope has increased, so more businesses will be affected, regardless of whether they are located in the EU. The legislation applies if you offer goods or services to citizens in the EU. It also applies if you process the personal data of EU subjects.
If your business isn't located in the EU, which may be the case once Brexit negotiations have been completed, you may need to appoint an EU-based representative to handle data processing of EU subjects.
Saying it plainly
There was a time when businesses could get away with publishing an incomprehensible document full of baffling legal terms relating to data privacy. From May, things will be very different. Terms and conditions relating to data protection must be written in plain English. Customers and employees must understand what they are agreeing to, and there must be an easy option to withdraw consent.
How to handle data breaches
If you do suffer a data breach, affected subjects must be notified within 72 hours. So, if your server is hacked and cyber criminals steal your customer data, you can't wait several months before ‘fessing up.
There have been a number of high-profile "incidents" in recent years that illustrate this. One good example of how not to handle it is when Uber was hacked in 2016, but tried to conceal the breach by paying hackers £75,000 to delete sensitive data. 57 million customers and drivers were affected. If this had happened once GDPR came into effect, it would likely have cost the firm a small fortune in fines.
Startups and existing businesses will have a lot to think about once GDPR comes into effect, so it's vital that you take the time to read up on the new regulations - or you could have more to worry about than finding new clients.
Sponsored post. Copyright © Costea Lestoc, technical writer, author and blogger