Skip to content

Why the EU GDPR is Important to You and Your Security

On April 8, 2016, the EU adopted its General Data Protection Regulation (GDPR). These new rules went into effect on May 25, 2018. They are applicable in all EU member states and do not call for national legislation to make them valid. What does this mean for you and why is it important?

The GDPR rules will have a strong impact on how other companies interact with EU members. The key component of these regulations is that they apply to companies outside of the EU. Anyone who is advertising or selling goods and services to an EU member must comply. Companies that accept currency from an EU member must comply. And anyone who asks for any kind of personal information, to gain consumer insights or use as a lead, must comply. A company outside the EU that is targeting customers within the EU is subject to GDPR.

That’s intense. 92% of United States organizations see GDPR compliance as their top data-protection priority. And no wonder. Again, any company that interacts with EU citizens or businesses fall under GDPR. Failure to meet the requirements will result in serious fines. How serious? Over $23 million serious. And don’t forget the damage it could inflict on a company’s reputation.

So, the big question is this: are you currently following the rules?

What Does GDPR Require?

Any organization which processes data has direct and significant obligations under GDPR. These data processor rules include (but are not limited to) the following requirements:

  • Keep a written record of processing activities carried out. There must be one record maintained on behalf of each controller of data collected.
  • Name a data protection officer where required.
  • Appoint a representative (when not established in the EU) in certain circumstances.
  • Notify the data controller immediately when becoming aware of a personal data breach.

Data processors now have a new status. This will impact the handling of data protection matters in other commercial agreements.

Data controllers must continue to provide transparent information to data subjects. For example, if the information gathered is going to be used for marketing purposes, the subject should have the right to object. So, the data controller must immediately share this when gathering the data. Of course, no one can take personal data without permission. Consent must be freely given, specific, informed, and unambiguous. It must also be as easy to withdraw as it is to give. If the data subject has no genuine and free choice, that is not consent. Or, if they are unable to withdraw or refuse consent without repercussions? Fun fact: not consent. (Valuable life lesson, folks). Consent must be explicit for sensitive data. The data controller must also be able to prove that the subject did, indeed, give consent.

What Do I Need to Do to Comply with GDPR?

Given the complexity of GDPR, your response plan needs to be multi-dimensional. The first step is asking yourself the classic trio of data security questions:

  • Do you know all the personal data you have? This includes your customers, employees, contractors, patients, suppliers, and the like.
  • Where is this data stored and used? You need to have a deep understanding of where your data lives in transit and at rest. Be aware of whether it’s in the cloud, on separate hard drives, or backup tapes. And do not forget the mandate to have user consent on sharing that data!
  • How will you protect this data? Your applications, databases, and networks are complex. They all need multi-layer security measures in place to safeguard personal data. Knowing exactly what your organization needs is an in-depth discovery process. It can’t be a one size fits all fix. But, it is very important.

Answering these questions will give you a high-level view of what you need to do to comply with GDPR. Conduct assessments on the potential impact of implementing these necessary changes. Also, include a consent management strategy and a plan to handle data access requests. Unfortunately, you should also prepare for the worst. Assess the possible impact of privacy violation. Better yet, include your legal team in the loop. Better still, make strong choices that ensure you never need them.

 Atlantic BT is well versed in the various regulations throughout the tech world. We develop functional, compliant websites that work for everyone. Contact us for more information on GDRP and for a free consultation to make sure your site is up to date.

The Atlantic BT Manifesto

The Ultimate Guide To Planning A Complex Web Project