In less than 12 months, the General Data Protection Regulation, better known as the GDPR, is set to take effect. It will mean changes for businesses as well as individuals, but just what these changes mean can be a little confusing. Although these regulations came into force back in May 2016, they won’t become applicable until May 2018. This is less than twelve months away, so now is the time to start learning how this will impact your business.
The sooner you learn more about the General Data Protection Regulation, the sooner you can start working to ensure your business isn’t breaching the new data protection rules. So how will the new rules affect your business? What benefits does the GDPR give to businesses? And what happens if you breach the rules?
The changes you will see
The GDPR is set to modernise a number of the principles you will find within the 1995 Data Protection Directive, bringing it up to date and in line with the way technology works now. A Q&A on the European Commission website gives us the chance to see the main changes and updates happening.
These changes, as you can see, are set to change the way that personal data is handled. Individuals will gain more control over it, instead of businesses or websites, and there will then be standards worldwide to help ensure personal data is handled the same way.
This big change in the regulations, and stricter enforcement of the rules, intends to make data sharing and data protection more consistent. It means that individuals will know their rights when it comes to data protection, and that businesses have clearer guidelines on what is expected of them.
However, even now people are confused. They are questioning whether the changes are actually workable, and just how big of an impact these changes have on businesses.
What it means for customers
For your customers and other individuals, they will gain a number of benefits from this shake-up of regulations in terms of data protection and security. The main change in the GDPR is that individuals will have “a right to be forgotten”. This means that, should individuals have legitimate grounds for it and are able to provide proof of it, they can get their personal information taken down from websites and links removed from search engines.
As it stands, getting your name removed from search engines is already pretty challenging. There are a great deal of hoops you need to jump through, and so the change in law is set to make it easier. However, this might not be the case.
Websites like Google are already working on these “right to be forgotten” requests, and according to the BBC it is one of the few areas of Google’s search system that will be governed by people, and not an algorithm. This means that it will take longer to look at each request, and even then there is no guarantee that the information will be removed.
If you want to know about the information organisations hold on you, it is now free. As Computer Weekly explains, while the law seems to place a lot of emphasis on hacking, it isn’t just about that. In the past, you would need to pay £10 in order to get access to information organisations have on you under the data protection law. Now it will be free, although there are still a few restrictions in place.
There is also now data protection by design and data protection by default. This means that there must be safeguards into products and websites from the earliest possible point of development, to ensure that data is properly protected. It also means that privacy-friendly settings must be enabled by default. On places like social media sites this is important, as it means users information is set to private before they even post anything, and so they will only need to change it if they do not want to keep their activities on social media private.
One of the big changes is that people now have a right to know when their private data has been hacked. In the past, it has taken months for hacks to come to light. When they have, they have been big news. For example, the recent news that the CIA has been hacking routers for years has put people on edge. We have only just been told that it has been happening.
Now things are going to work a little differently. Those processing the data must notify of any data breach as soon as possible, and once they have been made aware of the breach they must also tell the Information Commissioner’s Office (ICO) about the breach within 72 hours. You’ll know sooner when your private data has been compromised.
What does this mean for businesses?
When you are running a business there are a number of different things you need to concern yourself with, especially when it comes to data protection. Often the lines have been blurred and difficult to understand, but now the GDPR is set to make things clearer and more consistent.
How? Well, there are a number of different factors. It used to be that those companies not based within the EU would have different rules to adhere to than those within the EU. The stricter standards meant that often, customers would be attracted to businesses based outside of the EU for all of their needs. Now it will create “a level playing field”, as those companies outside of the EU but offering goods and services on the EU market will need to meet the standards set by the EU. Even if you are not based in the EU , your business will need to comply with the new standards if you supply goods or services on the EU market.
The consistency doesn’t stop there. Previously businesses would find that they would have to deal with many different laws and supervising authorities when offering goods or services within the EU. Now they don’t need to, as there is now one law and one single supervising authority to turn to. This makes it so much easier and convenient for businesses to know where they stand.
However, while these new rules are said to “bring benefits of an estimated €2.3 billion per year“, there is still some concern around them. Businesses in member states might have until May 2018 to comply with these new rules, but getting the staff to help will be difficult and a drain on resources, especially if you want to hire competent people to do the job.
There is also the concern that a regulator may not feel that the measures your company has in place are sufficient enough. They will have more powers in order to intervene, if they feel they aren’t being tough enough. Given that the legislation is still untested, it is easy to see why there are concerns for businesses.
The penalties in place
The big concern for businesses is getting prepared in time. Many businesses have already begun to make changes to ensure that they are GDPR ready, but a great deal don’t understand how failing to prepare can cost them.
We already know what a cyber attack can cost your company, but what of the fines if businesses do not meet the new standards? There are a lot of variables in place, meaning that the fines can change depending on the circumstances.
However, the EU General Data Protection Regulation website, alongside the European Commissions website, helps to explain just how the penalties will work. You can take a look at the different factors those enforcing the GDPR will look at when it comes to violations below:
The EU GDPR website tells us that “organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million“, and this is understandably making businesses panic. However, they also explain that “this is the maximum fine that can be imposed for the most serious infringements”, such as a lack of sufficient consent from customers when processing data or violating the core concept of Privacy by Design.
The fines are set into tiers. The fine outlined above is an example of the second tier, which might be imposed if a data subject’s rights are infringed upon. The first tier will set fines of a maximum of €10 million, or up to 2% of worldwide annual turnover. This tier relates to those businesses and organisations that might not conduct proper impact assessments, which is a requirement for the new regulation. For most businesses, if you do the things required of you by the GDPR, then being fined will not be an issue. So how do you actually prepare?
Preparing for the General Data Protection Regulation
It seems like an incredibly daunting task for companies to prepare for GDPR coming into full effect in May 2018, and we can see that many firms are not ready. In fact, just 38% of businesses globally stated that they have comprehensive plans in place to help with GDPR compliance. The other 62% are risking those hefty fines we discussed earlier because they just haven’t prepared. So what do businesses need to do to properly prepare for GDPR?
The first thing that you will need to do is review all of your current procedures, security processes, and policies. This can seem like an incredibly big task to do, but by going through them now, you might just discover that a number of your policies are already GDPR ready. If they are, you don’t have to do anything further down the line. It is already done for you, so you can simply continue as you are now. However, even if your policies aren’t ready for the GDPR, you’ll be able to see the changes you need to make simply by mapping and auditing things already in place.
The biggest challenge for many is that they will need to train staff on the new guidelines. How you train your staff will depend largely on your business. They’ll need to understand how these changes will affect their work, and you might also need to consider information security training for them. This will help staff to understand and spot potential breaches, and so they then know the right steps to take in order to inform the ICO and affected customers about it.
Preparing for the GDPR is made a lot easier when you have a data protection officer (DPO) in charge, to ensure that data is properly protected and handled in the right way. However, while the GDPR makes it a requirement for certain businesses to appoint one, many don’t have to and so they won’t bother. You are probably best appointing one anyway, so that there is one particular individual in your business you can contact about data protection and any potential breaches.
There are so many different areas of your business you will need to review, from policies to how you get consent from customers to store their data and the paper trail you have to prove you have done as asked. It can be pretty intimidating, but don’t worry. The ICO have prepared a 12 step document (15) to help you get GDPR ready. It shows the areas that you should look into to ensure your business is prepared for May 2018.
How Open Data Security can help with security
Many companies will decide that they want to hire professionals to handle their network security, server security, and check that they will not be breached in a cyber attack. This will help to keep the private data of your customers secure, and this in turn will help to increase the confidence that your customers have in your business.
One of the key things you will want to do is run a penetration test. A penetration test will give you a full analysis not only of your web application, but also the flaws there. It can emulate real-attack scenarios, giving you the chance to see how your security fairs and the areas you will need to improve upon, in order to keep customer data safe and secure.
Not convinced that a penetration test can help? There is a lot that could happen simply by not running one. The Ashley Madison hack could have been prevented if the company had run a penetration test on their system first, as then they could have fixed the flaws before the hackers attacked, saving the data of their customers.
Feel that your company isn’t GDPR ready and need help ensuring that your security is as tight as can be to protect customer data? Contact us. Here at Open Data Security we will be able to run penetration tests, train your staff to defend against cyber attacks, and help you improve your network security. These can all go a long way to help you get GDPR ready.