Although the GDPR, the General Data Protection Regulation (full text), has quickly become a buzzword, do you really know what it involves and what will be the consequences for not complying with the new regulation? Let's look at the GDPR a little closer.
What is the GDPR?
The GDPR is a new regulation on data collection that will come into effect on May 25, 2018. Businesses that are gathering information on EU citizens will have to comply with these strict rules around customer data. The new data protection regulation also oversees the export of personal data outside the EU. These regulations aim to strengthen the customer rights and raise the standard of data collection and storage.
What kind of data does the GDPR protect?
- General identity information (i.e., name, address and ID numbers)
- Web-specific data (i.e., location, IP address, cookie data, etc.)
- Online financial information (i.e., online transaction history)
- Health and genetic data
- Biometric data
- Racial or ethnic info
- Political views
- Sexual orientation
Whom does the GDPR concern?
Any business that processes, gathers, and stores personal information about the citizens of the 28 EU states must comply with the new data protection regulation, even if the company is located outside of the EU. This concerns big corporations with more than 250 employees and companies with fewer than 250 employees if their data-collection effects the customer rights, is not irregular, and/or includes sensitive personal data. This basically means all companies.
If the company does not comply with the GDPR, the first step would be a formal written warning, which will be issued even to companies that are breaking the law without realising it. Ignorance is not a valid excuse. Regular periodic data integrity audits will be executed to ensure compliance, where potentially sensitive or confidential information will have to provide to the auditors.
According to the regulation, a company violating the GDPR can be fined up to 4% of annual global turnover or €20 Million (whatever is greater). Maximum fines will be imposed for not getting the necessary customer consent to process data or breaching the Privacy by Design.
On the other hand, the new data protection regulation can be interpreted in many ways. It states that businesses must ensure a "reasonable" level of security for personal data, but does not define what "reasonable" means. This gives institutions that are enforcing the GDPR a lot of flexibility in determining fines for data breaches and non-compliance.
Losing the competitive edge
According to an Ovum report, over a half of surveyed companies operating internationally believe that they will be fined due to the GDPR in Europe. Two-thirds of the companies forecast a change in their international business strategy to adapt to the new data security regulation.
Here to stay
Companies must find a way and build strategies to comply with the new law as it is not going anywhere. This means allocating significant resources — people, time, funds, technology, etc. One thing for sure, compliance with the new regulations raises concern and new expectations of teams responsible for information security.
We have already made explainer videos about the GDPR that businesses use to explain this significant change to their employees. Get in touch with us to find out more about how we can help you explain in a simple and engaging way what the GDPR means for your company.