While current regulations don’t match the GDPR’s fines, companies have suffered hundreds of millions as a result to regulatory inquiries and enforcement action, class action litigation, forensics, and other related breach costs. In May, the stakes rise, when the General Data Protection Regulation (GDPR) will start holding companies accountable for such breaches. And the consequences of the loss of customer information could be devastating.
As of December 20, 2017, the Identify Theft Resource Center reported 1,293 personal data breaches with more than 174 million records exposed since the beginning of that year—an increase of 21% compared with the same time period in 2016. If those 1,293 data breaches occurred AFTER May of this year, many of the companies affected could face GDPR sanctions.
The new regulations are complicated, but failure with to comply with GDPR can be very costly, with companies seeing fines of up to $26 million (€20 million), or 4% of total annual global revenue, whichever ls higher. Nevertheless, surveys have found that most businesses with EU customers—as well as the majority of businesses in the EU/UK—are not ready.
Compliance with the new regulations starts with determining if your business is in the mix. Simply put, any company that has customers in the EU—or even markets to EU residents– is likely affected, and any company located in the EU that processes data from outside the EU is affected. GDPR was created to better protect Personal Data. So, if your company stores information on customers that can somehow be connected to a name to determine who that person is, then the GDPR may apply assuming such data pertains to covered individuals or processing activities in the EEA. This information could be age, birthday, sex, address, phone number, IP address, sexual orientation, political orientation or political opinions, union or trade memberships, religious or philosophical beliefs, racial or ethnic origin, genetic or biometric data, personal information of a child under the age of 16. Basically, if you collect or process information on your customers, the safest bet is to comply with GDPR in order to avoid future fines, rather than hoping against a breach waiting to see if you are compliant.
The first step toward compliance is assigning a Data Protection Officer (DPO). A company will be required to have a DPO if it processes large amounts of personal and sensitive data or performs systematic monitoring of individuals covered by GDPR. This person must be available and involved in any events where there is a possibility of a loss of GDPR-covered data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority (SA). Obviously, because the DPO will oversee proving your company’s compliance with GDPR, this individual needs to know the regulations and your security protocols inside and out, backward and forward. If your company is not required to have a DPO, you should still have designated someone who you will call if the SA opens an investigation.
Of course, you cannot stop there. All personal data and related processing need to be evaluated to determine if your business is legally allowed to receive, store, or process the data. Any unlawful possession of data covered under GDPR will be viewed as a serious violation.. Companies will also now be required to complete Data Protection Assessments and Privacy Impact Assessments. As a part of doing business, you will now be expected to assess your levels of data protection and acknowledge or remediate what is needed in order to become GDPR-compliant. You will also be expected to increase visibility into what the level of impact will be for data subjects, as well as your company, should there be some privacy issue.
There are many other components of GDPR that companies should familiarize themselves with and comply to if required. The best source of information on the regulation requirements can be viewed here.
Once GDPR takes effect, if your company experiences a breach or is contacted by a GDPR investigator, the best course of action is to show an attitude of compliance by offering complete support for the investigation. Then, contact your legal team. It is important to remember that complying with GDPR is not easy. It takes time to update security systems and processes to meet the standard required by the new regulations. It can also be costly, but the protection of data should never be taken in any other way other than extreme seriousness. The cost of compliance will often be less than the cost of sanctions.