On 25th May 2018, the EU General Data Protection Regulation (EU GDPR) comes into force, replacing the Data Protection Act. It’s tougher, more wide-ranging, and carries a maximum fine of €20 million, or 4% of global turnover, whichever is higher.
Time to get prepared.
Anyone who holds data on EU citizens will be subject to the regulations. What counts as data really includes almost anything you can think of: personal information, contact details, cookies, DNA…
While previous regulations in many EU countries have spared companies below a certain size, the EU GDPR applies across the board. You could be a man working in his bedroom, but if you’ve got a mailing list, you have to comply.
And that includes people outside of the EU who hold the data of EU citizens.
The biggest changes are to do with an individual’s right to privacy, which will be significantly expanded. Key provisions are:
Pre-set tick boxes and tacit consent no longer apply. Users have to give specific, proactive permission for you to hold their data. And you must keep a record of that.
If requested, you must delete all information held on that individual, including copies. That means you need to know if and where copies are held.
If requested, you must provide an individual’s data, in a format they can access, so they can share it with third parties. They own their data, not you.
If transferring data to a third party outside of the EU, that third party must be able to demonstrate compliance with the GDPR. That includes things as simple as saving data to a US-based cloud service like Dropbox.
These are all noble principles, and we should be glad as citizens to be granted these rights over our personal data. But as businesses, that means we need to keep track of exactly who holds what data, and where it’s stored – including on third-party services and servers.
In a world where 18 year olds can hack the Pentagon, the EU understands that data breaches are nearly inevitable. So the bulk of data security responsibility is laid at reporting.
Any data breach must be reported within 72 hours. Failure to do so risks the maximum fine of €20 million or 4% of global turnover (whichever is higher). Organisations must also be able to demonstrate that all appropriate action was taken to prevent the breach. Confession is not enough to absolve cybersecurity sins.
The upshot? If you haven’t put proper cybersecurity measures in place already, now is the time to do so.
Will we in the UK have to comply with EU GDPR once Brexit takes hold?
In a word, yes.
Anyone who holds the data of EU citizens is expected to toe the line, regardless of whether they’re based in the EU or not. Aware of this, the UK government has already announced plans to introduce native legislation to mirror the GDPR, ensuring we don’t suddenly get booted off the European internet the second we set legislative sail.
The only difference is, the maximum fine is written as £17 million, rather than €20 million.
The EU GDPR is the biggest shake-up in data protection since the current legislation was introduced in 1998. We may have a few months left yet, but the time to start preparing is now.
Existing Wisetiger clients can access our practical guide to GDPR compliance in their support path accounts. Everyone else should read the full regulation on eugdpr.org to be aware of their responsibilities, and conduct an immediate data audit to identify what gaps need addressing.
Whichever group you fall into, Wisetiger can help you prepare.
Contact us today for assistance with data auditing, process design and the implementation of semi-automated and automated tools to make compliance with GDPR efficient – and painless – as possible.