What is this ‘GDPR’ I keep hearing about and how does it affect me?
A lot has been written and said lately about GDPR, not least of all by VanillaPlus. (See: GDPR compliance: We need to comply but where to begin? and More than half of companies in data protection survey will be affected by GDPR, but 5% don’t know what it is.
In case your compliance people have been hiding under a rock somewhere when they should have been sharing this with you, these are the European Union’s (EU) General Data Protection Regulations.
For many of us who really need to know, it seems there are still as many questions as answers. Which is why, says Jeremy Cowan, you may be interested in a 12-page PDF called the Cordery GDPR Navigator.
Who are Cordery?
The answer is a London-based firm specialising in advice and solutions for legal compliance. It provides ways of helping General Counsel, compliance professionals and heads of legal across numerous industries to manage their regulatory compliance.
The EU changed its data protection rules in April 2016 and these rules will apply fully with effect from May 25, 2018. As Cordery says, “The General Data Protection Regulations go well beyond an upgrade. For all businesses, there is now plenty to be done. Many deals being done now are likely to be governed by the new regime. Good planning from now will pay off to meet the eventual major compliance impact.”
A series of frequently asked questions (FAQs) aim to help with that process. They cover questions such as:
- What new rules will there be?
- My business is not in the EU so will these rules still affect me?
- Will I have to register with a regulator?
- Will I have to make privacy an integral compliance element in my business?
- Will consent be required for data processing?
- Will I need to appoint a data protection officer?
- When will I have to report data breaches?
- What kind of fines can my business face for breaching the rules?
When will the new regulations hit us?
Gerard Allison, VP of EMEA at Gigamon says: “The 25th May marks just one year to go until the EU GDPR comes into effect. Yet, despite the imminent deadline, our recent research found that over half of UK businesses are not fully aware of the EU GDPR and the implications it will have on their business. But the reality is, organisations stand to be fined either €20 million or 4% of annual worldwide turnover, whichever is greater come May 2018.
“While EU GDPR is a positive step forwards in data protection, organisations need to be aware of new ways cyber criminals could take advantage of the situation,” says Allison. “Ransomware is a popular tool for hackers yet this tactic could evolve into a different, more dangerous beast. Let’s say, for instance, a hacker successfully breaches a network but the business doesn’t have the tools in place to detect the breach or simply doesn’t report it. The hacker could threaten to report the organisation to the ICO for non-compliance unless they paid them. Is it likely that a business would rather pay for a hacker’s silence than pay eye-watering fines for being non-compliant?”
“To avoid being caught between a rock and a hard place with the new regulation, organisations will need the ability to detect, prevent, predict and contain threats that enter their network if they are to report any breaches in time and keep their customers’ data safe. Organisations need complete visibility over all data traversing their networks – after all, you can’t protect what you can’t see.”
Danger for all companies with EU resident data – European or not
“The name of the regulation has caused some businesses outside of Europe, and in particular the US, to think that these changes will not affect them. However, companies across the pond couldn’t be more wrong, and they need to take immediate action or risk missing the deadline. The GDPR applies to any data held in connection to an EU resident. Therefore, a US organisation selling to a European customer would have to be compliant under the EU GDPR. Similarly, if a US organisation holds personal data on its customers in the EU, it will also have to be compliant under EU GDPR. Organisations simply cannot remain compliant and secure, without pervasive visibility over their entire networks. These regulations are not something for
“Therefore, a US organisation selling to a European customer would have to be compliant under the EU GDPR. Similarly, if a US organisation holds personal data on its customers in the EU, it will also have to be compliant under EU GDPR. Organisations simply cannot remain compliant and secure, without pervasive visibility over their entire networks. These regulations,” Allison concludes, “are not something for a global organisation to ignore, and they need the proper tools and systems in place in order to save themselves from becoming the newsstand’s next headline.”
Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus