On Data Privacy Day earlier this year, CCSI briefly discussed the implications of The General Data Protection Regulation (GDPR). It is essentially a set of rules imposed by the European Union to give individuals primary control over their personal data. This means that companies will now have to disclose or delete the personal data they hold. The rule came into effect last May 25, 2018. With this in place, how will it affect companies in the long-term?
First of all, the GDPR applies to any business operating within the EU, as well as any enterprise outside the EU that sells goods or services to EU customers. For instance, if you operate an ecommerce platform here in the US that ships goods to EU customers, or a website that allows visitors from the EU to create accounts, then your business is subject to GDPR compliance.
Here are key takeaways from the GDPR that all businesses need to be aware of.
Prepare for transparency
Under this new law, companies are required to disclose information on how data is being collected and shared. These include everyday business functions like analytics, logins, and advertising. There are stricter regulations in place for businesses that get user data from other companies. Hence, all partners involved with the shared data have to be revealed, and their contracts need to be rewritten for GDPR compliance. It ultimately means that there is now a cost to sharing data with other enterprises.
For compliance purposes, be sure to map all of the data your company holds. It is important to document what your business does with the data, where it is stored, and who has access to it. You also need to revisit your agreements with partners, especially advertising-related parties.
Prepare to get positive and informed consent
The GDPR allows every EU citizen the right to verify with companies what data of theirs is stored and how it is used. This is to ensure transparency. There will be more opportunities for people to request the data you have on them, so make sure that information is available, or else you could potentially face lawsuits.
Furthermore, the rule requires businesses to ask permission to collect data, and individuals reserve the right to decline the request. IT Pro iterates that companies should keep detailed proof of how a person has given their consent.
Important information should be clearly laid out to individuals before they can tick the “I Agree” box. If your current documents lack explanations on how the data will be used, the GDPR demands you update it.
Prepare for heavy penalties
In general, the GDPR holds organizations responsible for the user data they collect. If a company fails to comply with the regulations, it could lead to massive fines. There are two tiers of fines businesses can be subjected to. The lower tier fine is 2% of a company’s annual global turnover of the previous year or €10 million (roughly $11.6 million at the time of this writing), whichever is higher. Meanwhile, the higher tier is at 4% or €10 million (roughly $23.3 million), whichever is higher. CSO also points out the damage to a company’s reputation for not complying can be huge and isn’t worth the risk.
To avoid these sky-high penalties, it is now more crucial than ever to put security measures in place. Your employees should also be properly trained in data protection, as neglect and human error are currently some of the biggest causes of data breaches. For instance, if an employee opens a malicious email attachment, it could end in devastating consequences. To prevent these situations, it is recommended to invest in cybersecurity professionals. Maryville University’s cyber security degree places emphasis on a comprehensive approach to learners regardless of their professional backgrounds. The topics covered in these programs can help professionals understand the security vulnerabilities in their companies and therefore help provide them with solutions.
In order for your business to stay out of trouble and protect your consumers’ data to the best of your ability, take the time to study the GDPR in depth and adjust your company policies accordingly.
Author Bio: Jenna Bouvet can be contacted via Twitter @writtenbyjenni.
*** This is a Security Bloggers Network syndicated blog from CCSI authored by Jess Olivieri. Read the original post at: https://www.ccsinet.com/blog/businesses-know-gdpr/