New European data privacy rules apply to local businesses
Many area businesses have European residents among their customers. If you do, you probably have data about those customers on your computer systems. New European Union (EU) regulations about the security and privacy of that data are relevant to you.
These EU regulations are called the General Data Protection Regulation, or GDPR. The rules — and penalties — are designed to establish cohesive data privacy laws across Europe. GDPR applies to all companies that handle personal data for anyone living in the European Union, regardless of the company’s location.
GDPR rules will go into effect in May 2018. After that date, companies that fail to secure European citizens’ data or honor privacy requirements could be subject to fines ranging up to 4% of the company’s worldwide revenue.
Compliance is therefore important, but this topic is important not just for avoiding penalties. It’s important because what GDPR rules demand is also good business practice — the same discipline needed to safeguard your customers’ important information helps to safeguard your businesses’ sensitive details, such as financial data, trade secrets, engineering drawings, business processes, and more.
Basic overview of GDPR: Rules and readiness
Companies must obtain specific consent from their customers, or other parties whose behavior they are monitoring, to gather and store personal data. Hard-to-read terms and conditions full of legalese aren’t acceptable; consent must be given in an easy-to-understand form using clear and plain language. Companies must also make it easy for customers to withdraw consent.
Companies must provide notification about data breaches within 72 hours.
It doesn’t matter where companies are located — nor whether their data is stored on-premises or in the cloud. U.S. companies must identify personal data for Europeans, they must protect it, and they must report on failures to do so.
Most companies are not ready to meet these requirements. Many haven’t yet realized how the rules apply to them. A recent survey by technology research firm Gartner Inc. predicts that by the end of 2018, more than 50% of companies affected by GDPR will not be in full compliance with its requirements, and lack of compliance could lead to hefty fines.
For example, the following infractions could result in a 2% fine of a company’s annual global revenues: failure to have records in order; failure to notify the supervising authority and data subject (the person’s whose data has been compromised) about a breach; or failure to conduct impact assessments.
GDPR rules apply both to companies that control data — that is, most organizations — and those that process data, such as providers of cloud-based storage and collaboration services.
Where to start?
Many companies have already stepped up their attention to data security and privacy in recent years. When doing so, it’s useful to have a framework to follow as a way to ensure attention is paid where it’s needed. One such framework familiar to many U.S. companies is the NIST Cybersecurity Framework (CSF). NIST stands for National Institute of Standards and Technology, which is part of the U.S. Department of Commerce.
The four key components to the NIST Cybersecurity Framework — familiar to many IT professionals and, more recently, chief executives and chief financial officers — are Identify, Protect, Detect, and Respond. These same concepts are the best way to structure your approach to GDPR requirements. To do so, you’ll need to become familiar with the GDPR rules themselves; they are widely available online. Then, you should “map” your existing security efforts onto the GDPR requirements. In this way, the GDPR preparation process will simply further the IT security work you are already doing.
If your company has not yet started any formal program of cyber security improvements, now is the time. Only a structured approach to keeping safe your customers’ data — and your company itself — can succeed over time.
For example, only a structured approach can ensure sensitive data is properly identified and managed, operating systems are properly patched and up to date, threats are identified, and proper responses are made. That’s good business practice, and the upcoming GDPR requirements are one more reason to give cyber security the attention it needs.
James Savage is founder and president of Microsoft-focused technology consulting firm Concurrency Inc.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.