Business IntelligenceCloud ServicesIT Consulting & StrategySecuritySoftware DevelopmentTech Support & Managed IT ServicesTelecommunicationsConstructionEducationFinanceHealthcareLegalNon-ProfitsReal EstateStartups
In May of 2018, a new law went into effect in Europe that had an impact on how people use the internet around the world.
The biggest fallout that most of us saw was a new banner ad at the bottom of every website that talked about using cookies, but the law itself was more specifically about how consumer data was being stored and used in the European Union.
What is GDPR?
The General Data Protection Regulation was a law passed in the EU that dictated how the personal data of users on the web could be used. The law came about because of the rather cavalier way that companies like Facebook, Amazon, and Google were using personal data to advertise to and track people on the internet. Personal data is anything that can be used to identify someone on the internet like phone numbers, credit cards, social security numbers (or other tax numbers).
It wasn’t enough to simply let people know that their data was being collected, we knew that much already. The GDPR made it so that companies had to be very transparent about what data they were collecting and how they intended to use it.
Purpose of the GDPR
The need for the GDPR came from the way that companies were collecting and handling personal data they were collecting. More importantly, there were a series of high-profile data breaches, like the 2016 Cambridge Analytica breach that saw the Facebook data of millions of users leak or the 2017 Equifax, which resulted in the names, date of birth, and social security numbers of nearly half of the US being leaked.
These instances brought to light that these growing companies had more data about most of us than we realized and drove home a need to provide protections for that data. Rather than do nothing, the EU acted and the GDPR was the result.
The purpose was to put restrictions on what personal data could be collected, rules around how it had to be stored, and what you were allowed to do with the personal data that’s been collected.
How does it impact you (a business) in the EU and beyond
If organizations like Facebook wanted to do business in Europe, they had to follow GDPR or face the consequences (we’ll talk about those below). For most global businesses, that means if you do business in Europe or even if people from Europe visit your website, you’re required to follow GDPR. The biggest thing that most of us see from this is the now ubiquitous banner that talks about cookies.
However, beyond that, your organization is also required to follow outlined best practices around how the data you collect is handled.
Those best practices include:
- Accountability – You have to be able to show that you’re following GDPR. This includes things like documentation that explains how data is collected and used, security training for staff, and appointing a data protection officer.
- Data security – You need to keep data safe. This means details like end-to-end encryption, staff training, and limiting internal access to data.
- Data protection as the default – Data protection can’t be an afterthought. It has to be a baked-in part of everything that you do.
- Consent – Making sure people are okay with the data collection. This is largely why we see banners about cookies. You’re giving the business the okay to collect data.
- Data Protection Officers – Data Protection Officers are required for certain organizations to make sure that all the rules and regulations are properly followed. The goal with data protection officers is to have a central data privacy expert in your organization.
Penalty for breaches under GDPR
Europe wasn’t messing around when they put this law together. The penalty for a data breach is €20 million or 4% of annual global turnover. Along with that, businesses are required to report data breaches to the authorities within 72 and to customers as quickly as possible. The reason for this is to prevent situations where data breaches aren’t reported for months, like we often see here in the US.
The stiffness of the fines ensures that organizations take GDPR seriously. A small enough fine could easily be written off by larger organizations that could just continue to be lax with their data policies. This way, businesses tend to learn their lesson the first time. To date, companies like Google and British Airways have been hit with fines topping $230 million (for British Airways).
Are you compliant?
The last thing anyone wants is to accidentally be non-compliant with regulations like GDPR. But it’s a dense law. Figuring out what you need to be compliant isn’t easy and all it takes is one slip up and you’re facing millions in fines.
All is not lost, however. At Homefield IT, decades of experience means that not only do we understand what it takes to keep personal customer data safe, but we also know how to keep you compliant with regulations like the GDPR. If you’d like to ensure that you’re doing everything possible to protect your customer’s data, let’s talk. We can keep your customers and your business safe and compliant under GDPR.
Contact us today to learn how we can help.