The GDPR, or General Data Protection Regulation, is a set of regulations drawn up by the EU in 2016 to govern how companies handle sensitive information they gather through normal conduct of their business.
The GDPR is set to come into effect in May 2018, and conducting business in the EU without being in compliance can carry fines up to 4% of an organisation’s annual revenue, or 20 million euros, whichever is the greater.
So what does the GDPR require, and how can your business avoid potentially massive financial damages?
What does the GDPR require?
The GDPR governs storage and handling of personal or potentially identifiable information, from the obvious, such as names, addresses, geographic locations, and IP addresses, to less obvious pieces of information, such as political opinions, health, religion, and ethnicity.
The GDPR requires that data is only stored ‘when absolutely necessary’, and only accessible by those who actually need to know the information. The data must only be collected if an individual ‘opts in’, and cannot be collected on an ‘opt out’ basis. Data must also be anonymised in some way so that it cannot be tied back to an individual without some sort of ‘key’.
The GDPR also gives the individuals on which data has been gathered a number of rights, including a right to see all the information an organisation has gathered on them, the right to request all data collected on them be erased, and the right to notification of any potential breach within 72 hours – https://community.spiceworks.com/topic/1992700-what-is-gdpr-definition-implications-and-concerns-word-of-the-week.
How to ensure your business is compliant
As with any security requirements, starting with a review of current security practices is key, as minimising the risk of a data breach is always the best approach. Invest in endpoint security solutions such as https://www.promisec.com/, and look into a full security review or penetration testing.
If your business does any business in the EU, even tangentially, have your IT staff conduct a thorough review of the GDPR, and how it will apply to every aspect of your data collection practices.
For most businesses, the GDPR will require a substantial overhaul of data collection and retention practices, and will probably require additional training and documentation, and therefore cost. The cost of compliance, however, is trivial compared to the potential cost of a breach.