While this may sound daunting and the consequences of non-compliance are significant, it’s considered unlikely that regulators will make an example of small businesses that can demonstrate they have a plan and have attempted to comply fully with requirements.
Enforcement of General Data Protection Regulation (GDPR) is now just few months away. The media have intensively examined and written about this topic from practically every angle since it became legislation. Businesses continue to struggle with both understanding and implementation of what they need to do to be compliant.
WeLiveSecurity sat down with ESET’s Global Security Evangelist, Tony Anscombe, to better understand the essentials of GDPR .
GDPR comes into force on May 25, 2018. What do you expect to see happening the most – companies making sure they are compliant or companies delaying development of an action plan?
Speaking at multiple conferences this year – both in Europe and outside, I have witnessed the same issue everywhere: businesses all over the world are unsure of how GDPR will actually work in practice. They do not understand the requirements in detail, do not know if all of them are applicable to their businesses, and they do not understand either the key Data Subject Rights, or the role personal data will play in this regulation.
An understanding of all of these seems critical to meeting the requirements of GDPR once it comes into force. If you manage a business, are the remaining seven months long enough to define what your company needs to do in order to comply?
Well, you can get a lot done in seven months. The majority of European businesses within the European Union (EU) have been compliant with the previous Data Protection legislation, such as Directive 95/46/EC, since 1995. Some of the EU countries implemented local legislation beyond this directive, adding further requirements to give citizens additional protection. For many it is a matter of applying the same principles with greater precision so as to comply with the new requirements that GDPR has added.
Being ‘close’ to compliant can still result in fines of thousands, maybe millions, of euro. What have you seen companies do to accelerate their preparedness for GDPR and what do you think they should be doing?
“They need to understand there is no general approach applicable to all companies.”
First, I would recommend that businesses have a privacy professional explain the basic requirements of GDPR in relation to their businesses. They need to understand there is no general approach applicable to all companies. In particular, they need to understand that the critical part of being compliant is based on what type of personal data the organization is working with, how the information is being collected and processed, and finally, where and how the same information is being stored, they are all key to meeting GDPR requirements. This is a very good starting point for the next steps, such as the creation of a personal data inventory.
Once the inventory is created, data will need to be categorized for all the data types you are both collecting and processing, including data coming from citizens of the European Union. It’s incredibly important to note that if you are a company not based in the EU, for example a company based in the USA, you must recognize the requirement to comply with GDPR if you are doing business with EU citizens.
With all the options given to us by online shopping, for example, almost every business selling to the European Union needs to comply. That makes for a long list of businesses doesn’t it?
Yes, you are right (laugh). Any company that sells or provides goods or services to European citizens and collects data needs to comply. That is true whether they have an office or legal entity in the EU or not. There are questions about how the EU will enforce or impose fines relating to non-compliance on companies not located in the EU but I am sure they will move quickly to make examples of companies not in compliance to encourage others to comply.
Are there any exceptions? Can I be just selling my handmade soaps to people in EU without being compliant?
Yes and No. GDPR is a requirement for all companies, regardless of size. If you are selling directly through your own website then you need to comply. However if you sell through a general online store such as Amazon and you are only providing goods to Amazon which is then responsible for fulfilling and shipping the order, then you may not need to comply. If a company has over 250 employees or its business transactions are based on the handling of personal data, then it requires to employ a data protection officer. The maximum fine for non-compliance is 20 million euro or up to 4 percent of a company’s annual global turnover, which is – for any company – a high number.
While this may sound daunting and the consequences of non-compliance are significant, it’s considered unlikely that regulators will make an example of small businesses that can demonstrate they have a plan and have attempted to comply fully with requirements. It is more likely that the regulator will work with these companies on the additional steps needed to achieve full compliance.
What else can businesses do to make sure they step into the new era of protecting personal data?
I strongly recommend that companies engage the services of a privacy professional, and provide training to their employees focused on instituting a proper plan on how to store and protect data, and that it encompasses the entire company. One of the key requirements is to deploy an encryption solution with access controls, protecting data everywhere you go – even for employees not located on the businesses’ main premises.
Are you still nervous about being non-compliant with GDPR? Don’t worry, there is still enough time to demonstrate that your company is taking the right steps to protect personal data and learn the core skills needed for surviving the new age of data protection.
For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that you have everything covered before 25 May 2018 .