Amidst the recent stream of controversies surrounding Facebook, Cambridge Analytica, and our global (lack of) data privacy, the European Union is taking action. Taking effect on May 25, 2018, a new set of cybersecurity guidelines have completely changed the way EU businesses handle customer data.
These are known as the General Data Protection Regulations (GDPR).
What is the GDPR?
The GDPR is a new set of regulations designed to give EU residents more control over their personal information, particularly involving how businesses manage user-submitted data. The regulations benefit all EU citizens, and apply to all EU businesses—even non-EU enterprises that have a digital presence in the EU. (Note that for the time being, GDPR mandates still apply to the UK. However, with Brexit scheduled for March 29, 2019, the UK’s participation in EU regulations will likely change.)
Cutting through the jargon, the GDPR offers three specific protections for users:
- Users may request a report of all data that a company has collected on them;
- Users may request that businesses delete their personal data at any time;
- Businesses must notify affected users of data breaches within 72 hours.
Compliance with these regulations is now mandatory, with substantial fines levied against companies who break the rules. The maximum fine for a GDPR violation is either four percent of the company’s annual revenue, or 20 million Euros—whichever is higher. As such, businesses don’t have a minute to waste in reaching compliance with these standards.
Do you need a GDPR compliance plan?
If your business is in the EU and subject to GDPR, you’ve likely developed an action plan already. However, global businesses not yet affected need to be aware of the issues too, even if they don’t have an active presence in the EU.
The EU protections extend to any major company doing business in the region, which these days means every tech giant on the Fortune 500. Add in the fact that industry leaders like Microsoft and Facebook have already offered to extend these protections to their users in any country, and it stands to reason that the GDPR is acting as a sort of “blueprint” for a global data regulation. If it’s successful, it may see widespread adoption that could feasibly extend to the United States and beyond.
Starting your compliance strategy
The scope of a full GDPR compliance plan is well beyond what we have room for here, so let’s just touch on a few highlights:
- Start with your data collection practices: What type of data do you store? For what purpose will we use the data? Are we holding longer than we need to? Ask these types of questions in your initial data assessment, as they’ll form the foundation of your upcoming plan.
- Develop a team: Does your company have the resources to address these issues? Are there dedicated data privacy experts and professionals who can support implementation? Is employee training on data privacy part of your onboarding strategy? Every GDPR compliance plan needs a qualified team to implement policies.
- Document everything: Every internal data management policy used in the organization needs to be documented. This includes privacy policies, defined policies on data retention, and public assertations of what the data is used for. Don’t forget your vendors, either—if they process data on your behalf, they’ll need to maintain the same standards of compliance.
The Future of Cybersecurity
GDPR is limited to the EU, but we expect far broader adoption in the coming years. Cybersecurity and data privacy are perennial hot button issues for consumers, and as Facebook’s recent rash of scandals indicates, we still have a long way to go. Do your part as a webmaster to keep your users’ data safe and secure—regardless of who’s regulating you.