Today, the EU General Data Protection Regulation (GDPR) becomes law and the 2-year countdown has begun for organisations to fully comply with the new laws designed to harmonise data protection across the continent. Heralded as “a major step forward for consumer protection”, the GDPR seeks to help consumers benefit by defining a single set of rules, focused squarely on the sovereign privacy rights of people, no matter where in the EU they are. But what does it actually mean for organisations that maintain data? And why should they take it seriously?
- Larger penalties for data breaches
Even without any supposition or accusation of deliberate misuse of personal data (which is still a major part of the regulation), the introduction of the GDPR will place an even greater onus on organisations to safeguard the personal data they hold from accidental disclosure and cyber attacks. If they fail to take the proper steps and protect that data the limits on penalties for breach are much larger than most have dealt with before – with reported fines of up to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.
- Outsourced risk no longer means passing the buck
The new rules also make clear another important factor: that you can outsource your risk, but you can’t outsource your responsibility. If organisations use a third party provider to store or handle data – such as a cloud provider – they are still responsible for the correct handling and protection of personal data and must be able to demonstrate how the data is protected at all times, whether in their own or in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.
- Providing online access to personal data
Organisations will now have to provide citizens with online access to any of their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with the GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’. This is a very significant change; making these online Data Protection subject data requests secure, in the context of these new stricter rules for protecting it at all times, will represent a significant challenge to many organisations and will require adoption of robust cybersecurity technology across the board.
With the risk of hefty fines for firms that leak personal data, along with the reputational damage and resulting revenue hits following a data breach, cybersecurity is a board-level issue with significant consequences if not properly addressed.
If companies had been turning a blind eye to cybersecurity in the past, now is the time for them to stand up and take notice. The GDPR is a change of legislation that well and truly puts the onus on organisations to get their houses in order. And the clock is ticking…