EU General Data Protection Regulation (GDPR)
Internet privacy and data protection are increasingly important issues for anyone who uses the internet. Massive data breaches in recent years have opened the eyes of both the public and government bodies about how much damage can be caused by poor data protection procedures. The EU has taken a proactive response to this situation by adopting the General Data Protection Regulation (GDPR), which can be read in full by clicking here.
Scope of the GDPR
With the implementation of the GDPR, the EU has made it absolutely clear that the primary responsibility for maintaining data security belongs to the businesses and organisations that collect or process that data, rather than the individuals that the data is collected about. The GDPR applies to all organisations that are located in the EU, if they collect or process any amount of user data. It also applies to any organisation located outside of the EU if the data collected or processed includes any users that live in the EU.
The latter part is important for organisations in the UK, once Brexit is complete. If even a single bit of user data stored or processed by that organisation belongs to a citizen of the EU, that organisation will need to continue to comply with this regulation after the UK leaves the EU.
The amount of data is immaterial to this regulation. Companies are required to comply even if they store only tiny amounts of data. Additionally, the security requirements are identical no matter how confidential the data is. Data that is generally considered easily accessible, like names, must be as well protected as financial information like bank account numbers.
General Principles of the GDPR
Data security is a very convoluted topic, and because of this the GDPR is a large sprawling document that regulates a wide range of activities. However, all of those regulations can be pared down into a set of general principles which are the basis for these rules.
Consent of Use
Any entity that stores or processes data must get knowledgeable consent from the individual that owns the data. That consent must always be presented as an opt-in option and can be revoked at any time for any reason. Revoking consent includes the right to require that any stored data be erased permanently.
Right of Access
In addition to being able to dictate whether data is stored, the owner of data also has the right to see the data being stored, and see how it is stored, at any time. Furthermore, if the owner wishes to transfer their data, the data controller can't limit that in any way.
Notification for Data Breaches
Just as data controllers are responsible for protecting data, they are also responsible for honestly and promptly informing users if their data ever becomes compromised. The Supervising Authority must also be notified immediately to best ensure the impact of such breaches are minimized as much as possible.
What This Means for Businesses
A data protection directive has been in effect in European countries since 1995. The GDPR is similar in design to this previous directive, but focuses more specifically on digital data and strengthens many of the previous protections.
For businesses and organisations that are already compliant with the current directive, not much will change, especially if they already had taken additional measures to safeguard electronic data being collected. Still, while there shouldn't be much change, there is some and it is important to proactively adjust before the GDPR is enforced on 25th May 2018.
In an effort to make this transition easier, the Information Commissioner's Office (ICO) has made this short video which outlines the 12 steps that every business or organisation should take in order to comply with the new upcoming regulations:
Failure to comply with these new regulations can result in some very harsh penalties. First time non-compliance is likely to only result in a warning, but continued non-compliance will lead to audits and eventually to fines, for each incidence of non-compliance. Those fines can potentially be as high as 20 million EUR or 4% of annual worldwide turnover, whichever is higher.
Entities that store or process data of any sort should take all possible efforts to avoid these sanctions. Compliance is relatively easy and significantly less expensive than the penalties for non-compliance.
More information can be found at: