Since the concept of the General Data Protection Regulation (GDPR) was approved by European Parliament in April 2016, organisations have been counting down to the imminent introduction of this new legislation. Set to come into full force on May 25th, 2018 having been left unaffected by Brexit, its far-reaching scope is still creating a fair amount of confusion for some in terms of how they can enforce this, and there’s a genuine worry around the significant fines that go hand-in-hand with non-compliance. That’s why it’s essential to start planning for GDPR as soon as possible to get a head start on the process, as it cannot be done overnight.
What is GDPR?
GDPR will replace the Data Protection Directive 95/ 46/ EC in a move to unite the data privacy laws across the whole of the EU; implementing a single set of data protection rules to safeguard the privacy of its citizens. This is done by creating full transparency and greater accountability from organisations in regard to how they collect, store and process data. This includes the way that customers are signed up to company databases – we can say goodbye to general terms and conditions forms which see many of us click ‘I agree’ without reading the fine print. In turn, this means that people will have more rights to how their personal data is stored and will be more informed, regardless of whether the data is processed outside of the EU territory or not.
What are the penalties for non-compliance?
This has been the main focus of discussion around GDPR and for good reason. Non-compliance with GDPR can come with incredibly steep penalties based on the specific regulations that have been breached and there will be no grace period when this legislation comes into force. Yet, not all fines will be the same, companies breaching the rules in a blatant manner can face a top-level fine of up to €20 million or 4% of their global annual turnover, whichever cost is higher. However, this fine can also lead to compensation for damages and significant reputational damage, none of which any business wants.
How can you comply with GDPR?
When addressing GDPR requirements, as well as gathering customer data through transparent and simple to understand methods, organisations should also look to different encryption methods to secure said customer data. There should be both encryption methods on premises and through cloud-based environments to ensure ultimate security, especially for payment data. This model is required not only to protect encrypted data, making it safer from malicious attackers but to also comply with a customer’s right to be forgotten, ensuring the secure deletion of files. Organisations must be able to demonstrate these security methods, making them available for audit should an external party require it.
However, should the worst happen and data fall victim to malicious access, transparency when dealing with a data breach is also essential to staying compliant. Organisations will have 72 hours to investigate the damage of the breach, inform their industry regulator, and notify the customers who have been affected.
At Schoop, we’re working hard to remain GDPR compliant to ensure that our customers have the highest level of transparency from us around how their data is stored and processed, both now and when the legislation is officially introduced in May. We realise the importance of having a secure business system in place, safeguarding our customers across the UK and worldwide. We believe that as long as an organisation invests in plans to remain compliant, GDPR doesn’t have to be seen as a threat.