GDPR goes into effect officially on 25 May, and any business found not in compliance after that date could find itself hit with big fines (up to €20m or 4% of an organization’s annual global turnover).
The idea behind GDPR is to protect EU citizens’ privacy by giving them greater control over how their personal data is obtained, processed, and shared, as well as visibility into how and where that data is used.
The regulation enforces real consequences for data gatherers that don’t take care of the data they obtain. It also builds in greater accountability for those organizations to ensure they’re conscious of the data they gather, how it is stored, and how it is protected.
For many organizations that handle data, this means a shift in their data collection processes from beginning to end, and a hard look at what kind of data they’re obtaining, how well it is being secured, and an honest assessment on whether or not that data needs to be obtained in the first place.
It’s no longer enough to just want to collect user data, GDPR requires organizations to only collect user data where there is a ‘lawful basis’ to do so, and that basis must be documented.
As Sophos CISO, Ross McKerchar, told Naked Security in October, GDPR shifts the balance of power by turning data from an asset into a potential liability. Ensuring that data is deleted as soon as it’s no longer necessary becomes “a defence in depth measure – the less you store the less you have to lose.”
Data handlers may need to implement more informed consent processes when obtaining customer or user data, so EU citizens are fully aware of what they are opting into when an organization is entrusted with their PII (Personally Identifiable Information).
EU citizens can request information on data held, via a subject access request – a written report that must be sent upon request that explains what data is held about them, why it is being used and who it has been shared with. Citizens can also request that any data held on them is deleted.
Another goal of GDPR is to make organizations much more proactive in disclosing a data breach, should one occur. This is why GDPR mandates that any person affected by a data breach be notified within 72 hours of the breach’s discovery.
GDPR implementation isn’t a technological box to check, it’s largely a matter of creating and formalizing processes to handle the new requirements that it introduces.
If GDPR is a concern for your business, it’s likely you’ve been getting your house in order for a while now. But with a month to go until the final deadline, it can’t hurt to check that your organization is on the path to readiness: Try out the Sophos GDPR compliance check for peace of mind – it’s only six questions!