In simple terms, General Data Protection Regulation (GDPR) was initially implemented in the EU to ensure data privacy laws were respected, and compliance regulations were put in place to guard against corporate misuse of individuals information. European parliament passed the GDPR guidelines in 2016, and as of May 25, 2018, all organizations in the EU or having any operations in the EU are required to be compliant.
GDPR provides citizens with greater control over their personal data and assurances that their information is being securely protected. According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
Companies also have a greater responsibility to protect data. Among the main changes are the requirement to obtain explicit and active consent from an individual to process, store or use their data. Informing the user is not enough – the user must give approval for the use of their data. There is also the requirement to notify supervisory authorities of personal data breaches within 72 hours after a company becomes aware of the incident. Furthermore, GDPR includes new rights such as the right to be forgotten (allowing users to request that their personal data be deleted under certain circumstances: if consent is withdrawn, if it is no longer necessary for the purpose for which it was collected, etc. and the right to portability, giving users the right to request that organizations that store their personal data provide them with a copy of said data for transfer to another organization.
Risks of not complying with GDPR-
- Financial: Authorities will have the ability to impose fines of up to 20 million euros or 4% of a company’s total global annual turnover. Obviously, these fines will be given based on various factors such as the nature, seriousness, and length of the violation – for example, it will depend on how many people were affected, damages caused, if it is due to negligence, if there is a history of this type of behavior, etc.
- Reputation: Failing to comply with GDPR could subject companies to public scrutiny. The greater degree of transparency required by the new regulation and the requirement to notify authorities of data breaches could bring more attention to your company. Publicly sharing that an organization is not compliant with customer and employee data will tarnish goodwill and trust with customers.
- Commercial: If a company is not GDPR compliant, they can not transact business in the EU. Furthermore, their ability to work with other companies that have a business unit in the EU can also be at risk. Business partnership agreements and transacting business in other countries can be at risk if the organization is not GDPR compliant.
While GDPR originated in the EU, many governments around the globe have implemented similar laws and regulations within their own country, with defined personal data security requirements and penalties for failing to comply.
At ThoughtStorm, we understand security and privacy regulations. We have experts that can assist you to ensure compliance and identify process changes necessary to be compliance – within IT or other lines of business. If you would like to learn more, please contact us at info@ThoughtStorm.ca. We will be happy to have one of our experts get in touch with you to assist!