What is GDPR?
The General Data Protection Regulation (GDPR) legislation, introduced on the 25th May 2018, aims to harmonise data flow between all EU member states as well as protect and provide more control for EU citizens and their personal data. The GDPR directive states that personal data includes names, email addresses, bank details, IP addresses or any other identifiable information.
After a breach, organisations who fall short of this legislation are usually fined for their negligence and such fines are larger than those applied before. Facebook could only be fined a maximum of £500,000 for its role in the Cambridge Analytica scandal under the old compliance laws. This would likely be considerably higher under the new GDPR law, whereby fines can be up to 4% of a company’s global turnover. One such example is British Airways who, after a data breach in September 2018, were fined a record breaking £183m and accounted for 1.5% of their global revenue.
Why was GDPR introduced?
The EU’s old Data Protection Directive 1995, also known in the UK as the Data Protection Act 1998, was implemented at a time when the internet was still in its infancy. Given this, the directive rapidly became outdated as it was unable to predict how heavily businesses would depend on the web today. As such, there were minimal guidelines on how data should be collected and stored.
GDPR aims to provide clarity on what is expected of companies and make it easier for them to comply with universal data protection laws across all EU member states. Prior to GDPR, each individual EU member state protected their user data differently because there was no universal legislation, leading to inconsistencies in how data was handled.
Excessive data gathering, in combination with the inconsistencies in how to protect this information, has contributed to the increase in high-profile data breaches. This has generated distrust amongst consumers as to how companies handle and protect their personal information. As a result, some individuals now take their privacy into their own hands, falsifying information when signing up for services. Beyond this, there were also concerns that it was all too easy for consumer information to be bundled into packages for third-parties.
In the past, individuals readily handed over personal data in return for a service and this was then used to overload them with unrelated emails and marketing pop-ups. Generally, these services would not clearly provide an opt-in or out option and users would often not even know they agreed to them. Giving individuals their voice back and control over their inboxes was one of the primary drivers of the GDPR legislation.
Who does GDPR apply to?
If a business collects any personal information through goods or services they provide within the EU, they will need to comply with GDPR. Organisations across the globe will need to implement a GDPR compliance strategy to keep aligned with the law. However, if your business does not do any dealings with the EU, then the law will not affect you. It is important to acknowledge that GDPR puts the consumer in the driving seat, allowing them to have more control over their personal data.
What has changed since GDPRs introduction?
Since the introduction of GDPR in May 2018, several high-profile breaches have impacted organisations that were not GDPR compliant. Due to GDPR, clear notifications now have to be displayed to consumers. This has led to consumers being more aware and cautious in how their data is collected and used, as well as whether they want to complete a transaction based on a company’s privacy policy.
Instead of implementing GDPR compliance strategies, many US publishers have avoided it completely by blocking all traffic from Europe. However, this can only be a temporary fix with many other countries across the globe looking at revising their own privacy laws. Although this may result in a reduction in advertising revenue, it appears that several tech giants are welcoming the change. One such organisation, Apple, are encouraging the United States to introduce equivalent GDPR laws. In all, compliance with more stringent privacy laws are inevitable and, in the long term, this will benefit both individuals and businesses by reducing the impact of a data breach.
So what can be done to prevent a GDPR fine?
- Keep systems up to date with the latest patch releases. This includes both in-house and data in the cloud. A pen test can help with this by identifying vulnerabilities that could result in a data breach.
- Do not hold unnecessary personal data. Reduce the risk by only holding data you do need and only allow access to those who require access.
- Demonstrate that you have taken steps to protect client data by training staff on GDPR. It is a GDPR requirement that employees are educated to ensure that data is not mishandled.
Although this will not instantly make your business GDPR compliant, it will put you on the right track and help your business going forward.