In April of 2016, the European Union's Parliament and Council voted upon and replaced the Data Protection Directive 95/46/ec and passed a new sweeping data security regulation called the General Data Protection Regulation (GDPR). The law went into effect on May 25, 2018 and is the primary law that regulates how businesses are required ti protect EU citizens’ personal data. If you are doing business in, or with, the European Union, your company will need to be in compliance with this law or you can potentially face stiff fines and other penalties.
The GDPR was a response to the multitude of data security issues many businesses have either exploited or were a victim of in the EU economic sector. By requiring all of the EU member nations to conform to the same data protection standard, the hope was to raise standards to protect its citizens and also it's companies.
The key provisions of the law include:
- If the user must give consent to the processing of his or her personal data.
- Provide timely data breach notifications to the user if such a breach has occurred.
- You must make collected data anonymous to protect the user's privacy.
- To protect the vital interests of a user's data.
- Properly handle the transfer of user's data across borders.
What Businesses Need to Be Compliant?
Every business that markets and sells their products and services within the boundaries of the European Union is required to adhere to GDPR regulations. Naturally the global implications of this law have been substantial. Heavily affecting company mergers, inhibiting tech start-ups, and decreased venture deals in all sectors by an average of 20-30%.
The GDPR is enforced by Supervising Authorities (SAs). SAs interpret “substantially affects”, which is purposely vague, on a per-case basis. They will be evaluating overall data processing, the type of data, the purpose of the processed data and if it causes damage, loss, or distress to the user. If it limits rights of certain groups or individuals, affects an individual’s economic status or has an effect on their economic health or inflicts potential reputational damage, amongst many more scrutinizations.
To ensure these qualifications are met, SAs will be looking for businesses and organizations to:
- Encrypt the user's personal data
- Prevent unauthorized access to the user's data, or the equipment used in processing of their data.
- Perform an independent assessment of processes and equipment to assess data security risks.
- Have the ability to store and provide personal data in a timely manner in the event of an incident or inquiry.
- Ensure all the equipment used in the processing of personal data remains confidential and secure.
- Conduct regular to assessments of all processes and equipement to ensure data security.
The GDPR is full of language referencing security of computing infrastructure as a precursor to the digital security of the data held within them. Understanding how your IT needs to change is essential before you can build a GDPR-compliant infrastructure. Which, by the way, we can help with.
What Are the Consequences if don't Comply?
SAs have been given substantially more authority under the GDPR than under the old directive. They hold investigative and corrective authority, and will have a tiered system to issue organizations warnings for non-compliance which can move into fines or further legal action. They can also have the power to perform audits, impose changes along with hard deadlines, order data to be forfeited or wiped, and block companies from transferring data to any other jurisdictions until all the mandates are met.
The biggest role SAs have is assessing the dollar amount of the fines for noncompliance. The fines are now substantially larger than under the previous law and they will be determined based on a case by case basis. If substantial evidence is found that an organization's breach wasn’t of their own negligence the SA may not impose a fine at all but will still require conformity to their dictations. However, if it is found that there was willful noncompliance the fines that are imposed can as much as four percent of total global revenue or up to 20 million euros, whichever is greater.
How MyTek Can Help
With the deadline to integrate the changes your organization needs to meet the standards of the GDPR, any business that sells products and services in European Union member nations has to begin to shift their priorities to ensure they are compliant with the new mandates. The best course of action is to read through the law here, and then call MyTek at 623-312-2440 to see how our technology professionals can help you structure your network and data security policies to adhere to even the most stringent security mandates.