GDPR (General Data Protection Regulation) is a legislative act passed by the European Union that ensures the data of European citizens is safe. It was framed by the concerted efforts of the European Parliament, Council of European Union and European Commission with the objective to offer its citizens better safeguards to protect vital personal data.
After years of deliberation and debate, the European Parliament finally passed the draft on 14 April 2016. The EU realises that organisations need time to become compliant and have permitted a 2 year period for transition. From May 25, 2018, all businesses that are non GDPR compliant will be penalised with hefty fines.
Whom does it affect?
The impact of GDPR will be far reaching for all businesses and citizens within the borders of the European Union. Any business that offers services or goods to EU citizens falls under the purview of GDPR, and if found non-compliant will be penalised as per law. It also includes businesses that retain the personal data of citizens of the EU are responsible for data safety.
Types of data covered by the GDPR
The data areas covered are Name, e-mail address, photo, personal medical data, social media information, bank details and IP address. GDPR includes all such information that is deemed as personal details or which may be used to discover one’s identity. For children aged 16 years and below it is mandatory to get parental consent. The act clearly defines those organisations and entities covered by GDPR. These include data controllers and data processors. With the current era being all about cloud computing all data stored in a cloud or in a different physical location also falls under the jurisdiction of GDPR. That means irrespective of as who uses the data, or how much of the personal data is used, penalties still incur for any kind of misuse of EU citizens data.
Penalties for non-compliance
Any business that is found to be GDPR non-compliant is liable to be fined after May 25, 2018. This would differ for businesses as it would be subject to the levels of violation. At the upper-end large businesses may have to pay out as much as 4% of annual turnover or 20 million Euros, depending on which is higher. An additional penalty may be imposed on organisations having to pay as much as 2% for lack of data security. The amount of penalty will, of course, be subject to the level of breach.
Data breach and GDPR
Data breach is defined as any situation where an outside source or party gets illegal access to personal data unbeknownst to the individual and without their consent. As a norm, most cases of data breach involve the misuse of personal data for nefarious and illegal gains. If at any point in time such a breach does happen, the GDPR clearly states that companies must provide immediate and adequate notification. For this, the affected company gets a 72-hour window to inform the concerned data safety agency and the concerned individual/s without any kind of delay.
- Align marketing and IT departments by investing in tools that seek to protect customer data
- Invest in a specialist such as a Data Protection Officer (DPO)
- Commission a complete and thorough audit of your current data security system
- Invest in a change management program and educate your staff
- Partner with GDPR compliant third-parties