The amount of personal data leaked by companies that store or process it has been growing at an alarming rate over the past few years. Yahoo’s record-breaking 2016 data breach — estimated at half a billion records stolen — seemed hard to beat, but it was actually topped in a single incident later that year. A notorious spammer called River City Media leaked, among other personal details, 1.37 billion e-mail addresses — a simply staggering amount.
With hundreds of millions of people potentially affected by a single breach, and with the security of personal data a hot topic for many countries around the world, issues of data privacy and security have understandably caught the attention of politicians.
Governing bodies are beginning to take action. For example, within 12 months, companies that do business in the European Union will be required to comply with a new set of data privacy rules called the General Data Protection Regulation (GDPR). The GDPR is designed to unify data protection rules across Europe and set out compliance obligations for the movement of data within the EU and between EU member states and their global partners. Essentially, it aims to improve the handling and storage of personal data and keep it safe from misuse.
An outline of the initiative follows.
What is GDPR?
First, GDPR refines the vague definition of personal information according to the EU Directive of Data Protection (“any information relating to a living, identified, or identifiable natural person”) and adds more context. According to changes coming into effect next year, such data as IP addresses, genetic, mental, cultural, economic, or social information, are going to be considered personal. Even nicknames or pseudonyms are included — in many cases they can be attributed to a particular individual within an organization. Customer names, phones, and addresses, supplier records, and staff records all fall under this definition.
Second, GDPR defines a number of measures aimed at increasing the transparency of data control and management: Stricter consent will be required from users, and users will be able to revoke their consent at will. Users will gain the right to request information about how, where, and for what purpose their personal data is being processed. Users will also be able to request all of their personal data from organizations that use the data and will be granted the right to request its deletion from the organization’s servers.
Finally, data protection processes must be included from the start when designing new systems to implement the “privacy by design” principle. What’s more, organizations whose core activities include processing significant volumes of personal information will be required to have a data protection officer. Although these measures are aimed at reducing the probability of a data breach, in case one occurs, organizations will be obligated to report it within 72 hours of the data controllers becoming aware of the event.
Those companies that fail to comply with these regulations will suffer severe financial penalties — up to 4% of annual global turnover (aka revenue) or up to €20 million, whichever is greater. Yes, you read that right — annual global turnover. For global companies, even those with no physical presence in Europe, the regulations cover all of the personal data they control and manage of EU citizens, regardless of whether the processing takes place in the EU or elsewhere.
In the coming months, we will cover how GDPR is going to affect different areas of your company: IT, HR, Sales and Marketing, Legal, and Finance and Accounting. Do you feel ready? We are here to guide you through the process of getting prepared.