The General Data Protection Regulation (GDPR) seeks to introduce more transparency around how personal data of EU citizens is collected, stored and utilised by businesses. This means that even if your business is not operating or based in the European Union, any of its citizens whose data you collect - for example via the internet or in the form of a job application - will be covered by the GDPR.
You might think only technology giants like Google and Facebook with their vast amounts of user data will need to worry about the GDPR. But think about all the information that is held by your business. Do you have a customer newsletter? Have you ever collected personal information to release a white paper? Maybe you've collected phone numbers and addresses of past customers?
No one should underestimate the effect this new regulation will have on their business. The time to meet GDPR is getting short, with the final deadline set for 25 May 2018, and the onus is on businesses to ensure they are compliant.
What will the GDPR do?
This updated legislation will put more power in the hands of individuals to access and control their personal information in the digital space.'Personal information' includes a person's name, address, contact information, email address and even IP address.
The General Data Protection Regulation will require users to actively agree to hand over data. In real terms, this means 'opt-out' options and pre-ticked boxes to agree to Terms of Use or receive communications will not constitute an 'active' agreement.
Users will be able to request a complete list of all data that has been collected on their behalf and an explanation of how the data has been factored into decision making, analytics, who has access, and how long the data will be stored.
Even if a user has agreed to hand over data, they retain the right to request all data be deleted.
Businesses will also be required to report any data breach should it occur, including what data has been compromised. The consequences of poor data security will also be vastly more severe; data breaches will carry a penalty of up to €20 million, or 4% of annual global turnover.
What is required?
Business need to secure personal data and take appropriate steps to test their security is adequate.Meeting compliance standards will likely require a comprehensive audit of data collection methods within your organisation; the length of time data is stored, whether data is shared with third parties and whether data can be used to reveal the identity of individuals.
According to a report by Sharp Business Systems, "one in 12 employees are able to access information they shouldn't be able to view, putting both customers and the company at risk of data leaks. The problem has been amplified because such a large proportion of the workforce is now able to work remotely.”
Individual employees might also work with data offsite, even without the permission or knowledge of their employers.
"Almost a quarter of employees are using public file sharing sites without the permission of the business and a third are taking work home to finish, without getting approval from their managers to take data off-premises," the report declared.
Every organisation will be required to appoint a dedicated Data Protection Officer to oversee the ongoing collection and maintenance of data.
What about data stored in the cloud?
Particular attention should be paid to any data that is stored in the cloud.While an organisation who manages data stored in the cloud may be based in the EU, their servers may be located offshore. This can be especially problematic if the servers are located in countries where data can be seized by third parties or government departments.