The European Union’s General Data Protection Regulation (GDPR) will come into force exactly a year from now and is expected to extensively reform existing cyber-security and data protection practices.
Here are nine things to know about GDPR and how it can force organisations to make cyber-security their principle priority in the coming years.
The General Data Protection Regulation (GDPR), among other things, will make it prohibitively expensive for UK businesses if they choose not to follow data protection and cyber-security rules in place. The Payment Card Industry Security Standards Council (PCI SSC) believes that thanks to GDPR, UK businesses may have to pay fines of up to £122bn because of their failure to protect customer data in the future, compared to just £1.4bn in 2015.
Here are nine things about GDPR that you must know to prepare yourself and your business for the landmark data protection reform which will come into effect a year from now:
1. Organisations processing data of more than 5,000 people or those with more than 250 employees will have to employ a qualified data processing officer (DPO), who will offer independent advice. This rule will also apply to organisations where monitoring of people is a core activity.
2. Citizens will have the right to obtain copies of data that companies hold about them. They will also have the power to have their data deleted or corrected.
3. If unencrypted data is breached, the affected enterprise will have to report the breach to the Information Commissioner's Office as well as to its customers. Enterprises will be expected to have the ability to detect data breaches and will be required to report breaches within 72 hours.
NHS, cybersecurity and GDPR: A look at the state of affairs in the health sector
4. Failure to protect customer or company data from breaches will result in fines of either 4% of a company's annual worldwide turnover or €20 million, whichever will be higher.
5. Along with data controllers, data processors will share equal responsibility for keeping personal data safe. Under existing rules, such responsibility only applies to data controllers.
6. Companies will be expected to conduct data privacy impact assessments to identify risks and mitigations before engaging in high-risk activities like processing data which may result in identity theft or financial loss.
7. Each separate data collection activity by an enterprise will require clear affirmative consent from involved parties.
8. Enterprises will need to identify all personal data, access how they are stored and for what purpose they are used to prepare for audits.
9. Enterprises will be required to obtain explicit parental consent for any data collected about minors. Age verification of children before data collection will be a must.