General Data Protection Regulation (GDPR) means the EU is getting serious in terms of protecting personal data and with potential fines of €20m or four percent of turnover, companies are nervous about the implications.
The General Data Protection Regulation (GDPR), the European Union’s (EU) new directive on handling personal data, is going to be here soon.
In less than a year, in fact. It will go live on 25 May 2018.
GDPR is designed to give EU citizens greater control over their data, but companies need to be aware of their responsibilities and make sure they’re handling data correctly.
In reality, the level of fines is likely to be much lower than the headline numbers.
In the UK, the Information Commissioner’s Office (ICO) has stated that it has never issued the maximum fine under the present guidelines for personal data and it does not anticipate that its approach will change under GDPR.
However, companies should be aware that these fines are there to indicate the importance of these new rules.
Factors that will determine how breaches are assessed in terms of fines include the swiftness with which the offending company reports the breach and also the measures in place to mitigate its impact.
Consent? Prove it!
The age of spam and mass marketing has driven the EU’s law makers to put the citizen in charge.
How harshly offenders under GDPR are treated is likely to be established by the first few test cases.
To avoid being a test case, companies should be aware that they must obtain explicit consent for data collection.
Companies must also be able to prove that they have obtained said consent. This consent can be withdrawn and people can now also ask for detail of what information a company holds about them.
Data will need to be accessed at an individual level.
Encryption – friend or foe?
As the authorities of various governments have cited encrypted messaging services such as WhatsApp as a friend to those seeking to do wrong, there is an irony that GDPR encourages greater use of encryption.
Indeed, the reason that WhatsApp and other such messaging services are favoured are the reasons why those collecting, storing, and transmitting personal data should use encryption.
Companies should be aware that although GDPR does not necessarily specifically refer to encryption, encrypting data should increasingly be seen as a best practice – if not a standard practice – when dealing with data.
An example would be that a stolen laptop that is encrypted may not be considered a breach.
Encryption is also important in situations where data may be exposed to the public Internet.
This is not to say that the internet is not OK, but that it should be used in a way that acknowledges the risks.