The two-year timer starts today before compulsory compliance of GDPR, the new EU data protection directive, is enforced, but are you ready?
Today, the countdown begins. In two years time, it will become legally compulsory for companies to be compliant with the European Union’s General Data Protection Regulation (GDPR) policies.
But what is GDPR? And is it really that important to be compliant?
The GDPR was approved earlier this year by the European Parliament in Strasbourg, and took four years to draw up. The framework essentially replaces 1995’s Data Protection Directive, which is no longer particularly suited to the age of cloud computing, big data, and social networking.
The GDPR is designed to give everyday citizens more power over their personal data, which includes the right to be forgotten.
Companies and businesses that do not comply by May 2018 will also face tough legal and financial penalties. To be exact, those not adhering to the new rules will face fines of up to 4 percent of their global revenue for the previous year, or £15 million, depending on which is greater. This dwarfs the current penalty fine today under the UK data protection act of £500,000. Companies and businesses will also have just 72 hours to notify data officials following a breach.
Ultimately, companies now have just two years to complete a fairly comprehensive checklist to ready themselves. This includes being able to clearly identify the personal data it holds, and make an inventory of all its processing and storage activities.
Data that is not needed will have to deleted, as retaining some personal data will be no longer lawful. Even if Britain leaves the EU in next month’s referendum, any country or company that deals with companies within the EU will have to be GDPR compliant.
“The GDPR aims to modernise data protection rules for today’s digital challenges, increase harmonisation within the EU, strengthen enforcement powers, and increase user control over personal data,” said Mozilla, the creator of web browser Firefox.
“The Regulation moved these goals forward, although it is not without its flaws. With some elements of it, the devil will be in the details, and it remains to be seen what the impact will be in practice.”
With this in mind, TechWeekEurope has rounded up some comments from vendors and spokespeople regarding how GDPR will affect companies and how to go about best implementing it:
Eduard Meelhuysen, EMEA vice president at Netskope
“If they are to comply, IT teams will need to make the most of the two-year grace period which means that both cloud-consuming organisations and cloud vendors will need to take active measures now.
“As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation. The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.”
Dave Allen, Dyn senior vice president
“As the EU General Data Protection Regulation (GDPR) comes into effect, businesses will need to take a hard look at their current methods of sharing and storing data. While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.
“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.”
Ruaraidh Thomas, managing director at DST Applied Analytics
“In preparation for the GDPR, businesses must take note of how consumers wish to be engaged, especially since so many businesses rely on data as part of their business model,” says Thomas. “The fact that some consumers are happy to provide their data if they understand what it is to be used for demonstrates just part of the opportunity available for businesses who respond appropriately.”
“Valuable data assets are growing exponentially and the desire to extract value from this information is at an all-time high. Many companies have built powerful commercial models centred on the insight extracted through the analysis of data. However, these organisations must now deal with a conflict that occurs between the desire to extract greater value from sensitive data assets and the need to do this ethically, securely and in a way that complies with current and emerging legislation.”