1. GDPR is global
The GDPR may be an EU reform, but it will impact any business worldwide that handles the data of EU citizens. It is the first global initiative protecting personal data, requiring universal security compliance. This means, if you’re a UK business, Brexit will have no influence over the GDPR’s rules if you processes EU data.
2. Extension of liability
Historically, only data controllers were responsible for data processing activities. With the GDPR, liability extends to any organisation that comes into contact with sensitive data. If your company processes personal information, it must be fully GDPR compliant.
3. Consumers have the right to be forgotten
The primary intention of the GDPR is to hand back control to citizens when it comes to their personal information. Your organisation must not hold a customer’s data for longer than required, or use it for any other purpose, and you must delete any information at an individual’s request. Citizens have the right to be forgotten, which ultimately means they can opt out entirely.
4. Proof will be required
One of the trickiest aspects of the new reform is the requirement to prove you obtained clear and positive consent of data collection. Your processes will need to be absolutely watertight to ensure that proof is always obtained, stored, and can be easily accessed.
5. More information classed as data
The official definition of personal data has been widened by the GDPR, bringing new information under regulation. This now includes an individual’s genetic, mental, cultural, economic or social condition. Importantly, information about cookies and IP addresses is also now under scrutiny, so IT data previously unaffected will need extra attention, to ensure your business is compliant.
6. Assess and report within 72 hours
Your organisation’s ability to detect and respond to a security breach will be essential under the GDPR. To adhere to the new regulations, your systems must have the necessary technologies and processes in place to continuously monitor for and identify a threat, and to notify the Information Commissioner’s Office (ICO) within 72 hours of a breach. Privacy Impact Assessments (PIAs) will be mandatory.
7. You may need to appoint a DPO
If your company’s main activities involve handling personal information on a large scale, a Data Protection Officer (DPO) will need to be appointed, regardless of the business size or number of employees. According to a study by the International Association of Privacy Professionals (IAPP), the GDPR’s new requirements mean that 28,000 DPOs will have to be appointed in Europe alone.
8. Privacy is paramount
Privacy must be integral to all your software, processes and systems, and you must be capable of completely erasing personal data. Some businesses may consider outsourcing their data storage and security processes, to ensure that their systems are entirely compliant, and minimising resources needed in-house.
9. The new fines are much bigger news
So, why should you take notice? The GDPR is upping the non-compliance fines to €20m, or 4% of worldwide annual turnover, whichever is greater. Simply put, a fine of this magnitude could spell the end of an SME, or any business without much room on their bottom line, so complacency on the reform is not an option.