The General Data Protection Regulation (GDPR) is a wide-ranging set of requirements covering topics such as consent and accountability that will apply in the EU from May 2018. The GDPR is set to have significant implications for cyber security; if you collect or process data from anyone living in the EU (regardless of whether or not they are a citizen), and even if you do so in order to provide a free service, then you must comply with the GDPR or face hefty fines.
Your organisation will be expected to follow high-level cybersecurity guidance when the GDPR is in force. Customers will be able to reasonably anticipate data privacy, and gathering information from them will require greater levels of consent (e.g. you won’t be able to use a pre-ticked box on your website any more!).
A data breach can be disastrous for your organisation; seven out of ten small companies that experience a major data loss go out of business within a year. So, consider investing in Cyber Essentials, a certification scheme backed by the British government to help organisations to prevent online attacks and hacking. This will help with compliance with the GDPR, as well as improving the security of your company, customers and partners.
Any tracking data can be considered relevant to the GDPR, including tracking cookies and IP addresses. An online ‘right to be forgotten’ will be in place, so individuals will be able to ask you, as an organisation, to delete their personal data. If you don’t have a method in place for doing this, you will need one.
Privacy from the ground up
One of the key premises of the GDPR is that, going forward, the idea of protecting privacy should be an overarching consideration of the design and development process of any new activity that involves the collection of protected personal data. For example, the EU suggests that when new apps are created, IT security experts like WeSeeNow should work together with business representatives such as the marketing team, to determine how best to create an app that meets business requirements in a secure way that also guarantees the safety of data.
The how is up to you
One of the notable features of the GDPR is that it avoids being prescriptive about how companies should go about implementing the required level of privacy and associated cyber security. It simply mandates that companies ensure “an appropriate level of security, including confidentiality”.
In other words, it puts the ball firmly in the court of those collecting and processing the data, obliging them to keep up to date with developments in the area of IT security, including both threats and ways to counter them. It puts the onus on the organisation to take measures that are relevant to their situation.
It should also be noted that, in the context of the GDPR, the idea of data security is much broader than just protecting it from theft. It also includes preventing the accidental or unlawful destruction, loss and/or alteration of data.
Breaches must be reported
The GDPR has yet to be implemented, so it remains to be seen how the requirement to report breaches of data protection will be interpreted in reality as, interestingly, the EU does make allowances for data controllers to choose to keep a breach private if it is unlikely to have any meaningful impact.
Assuming, however, that a breach does need to be reported, the report must be issued “without undue delay” and there is an expectation that the report will be made in a maximum of 72 hours unless there is a very good reason why it should take longer. The EU also mandates that the notification must inform the data subjects of the potential impact on them and of how they can potentially mitigate it.