Note from the Editor: This is an older resource on GDPR. For more on the latest GDPR resources, check out our GDPR resource page.
- Introduction
- What is the GDPR?
- GDPR and the Data Protection Directive
- 2018: The Year of GDPR
- How to Prepare for the GDPR
Introduction
The General Data Protection Regulation (GDPR) was approved by the EU parliament in 2016 with a two year transition period. This regulation, which oversees how companies process and protect EU citizens’ personal data, is set to replace the current Data Protection Directive in May 2018—and organizations need to be ready, as noncompliance after May 2018 comes with strict penalties and fines.
Many companies feel they aren’t ready for the changes GDPR brings. According to the Direct Marketing Association, only half of surveyed businesses believe they’ll be compliant by May 2018. A quarter of companies reported that they’ve yet to make a plan of attack, leaving them unprepared for the quickly looming deadline.
The GDPR has many requirements, and for companies worldwide, meeting them all—and meeting them correctly—can be a daunting task. Even more concerning, DMA research found that while over half of businesses feel able to handle the tasks necessary for total compliance, “those saying they will be ‘very’ or ‘extremely’ affected [by the requirements] rose from 44% to 54%.”
Whether you’re just getting started with the GDPR or are elbow deep in planning, we’re here to help you prepare for May 2018. Here’s what you should know:
What is the GDPR?
The GDPR started as a way to reform the European Union’s current data protection directive. It was drafted by the European Commission (an institution responsible for the creation and implementation of EU legislation, among other things) and proposed in 2012 as a way to protect the personal data of all EU citizens, no matter where the data itself is stored and no matter who touches it.
In 2016, the European Union finalized their approval of the GDPR and set a two year transition period for companies that work with or process EU citizens’ data. This transition period gives organizations time to plan for necessary changes in their daily processes and policies.
Different from the Data Protection Directive (which will be used in the EU until May 2018), the GDPR has introduced many key changes that companies may not already be compliant with. These changes and updates include:
- Giving notice of any data breach that risks the “rights and freedoms of individuals” within 72 hours of breach awareness
- Appointing a data protection officer (DPO) in “any organization that processes or stores large amounts of personal data”
- Providing clear consent forms that aren’t hidden in the Terms & Conditions
- The right for EU citizens to…
- Request details about how their personal data is processed
- Have their personal data erased
- Withdraw previously given consent
- Request/receive their personal data in a common format
- Send their requested data to another organization
Even though the GDPR deals with the personal data of citizens in the EU, its requirements affect any company that controls or processes their data. This includes companies in the United States, the United Kingdom, Asia, and beyond. Any company that’s found noncompliant will face strict fines and penalties.
“Even tiny companies from the other end of the world, like [a] practice management software from Australia, will have to get in line—even if their software is used locally, one of the customers could be from Europe, and then you’re in for a treat.” — Steven Hansen, Founder of Techeries
Know Your Terms: GoAnywhere Glossary
GDPR and the Data Protection Directive
Before the GDPR was approved by the EU parliament in 2016, data was regulated by the Data Protection Directive. The DPD was enforced in 1995 as a way to marry the EU’s multitude of privacy regulation policies into one unified rule that could be supervised and managed.
The Data Protection Directive was a step in the right direction for many, but because it was a directive instead of a regulation, it lacked the authority it needed to keep organizations compliant, and left much room for interpretation. Technology also continued to advance in the 2000s to 2010s, including the introduction of social media and cloud computing. Eventually, the EU realized that an update to the DPD was needed, one that would reflect stricter rules for personal data that would protect the EU population across all channels.
The biggest change the GDPR brings from the DPD is that, as a regulation, it’ll become enforceable in all member states in May 2018. This means it won’t require paperwork or legal action by each state to put it into place. It’ll be active immediately, and noncompliance will be punishable by law.
2018: The Year of GDPR
On May 25, 2018, the GDPR and its requirements will be firmly enforced in all EU member states. This means companies and organizations must be completely compliant with the GDPR’s regulations and laws, as listed in this PDF from the Council of the European Union, at this time.
Businesses around the globe are currently preparing to meet the GDPR’s requirements. Action items they’re taking include (but aren’t limited to):
- Analyzing their current business structure and data processing
- Determining and targeting which GDPR requirements they aren’t compliant with
- Identifying the personal data they control, store, and process
- Identifying what tools they have to protect their data and what tools they still need including: secure file transfer, updated consent forms, secure/encrypted forms, etc
Certain companies may have specific steps they need to take, too, depending on how they operate. A company that’s suffered from a data breach should examine their data breach response plan or create one, if they haven’t already. “Examining any previous data breaches to your system will give you a clearer idea of your organization’s capabilities in reacting to future attacks, and offer a better picture on whether those procedures are capable of meeting future requirements,” writes WeLiveSecurity on how to prepare for the GDPR.
Other companies may be required to hire or appoint a Data Protection Officer to oversee the implementation of the GDPR’s vast requirements.
Regardless of where your company falls on the GDPR requirements spectrum, there’s still a lot to do in the next year. The sooner you start to take steps toward full compliance, the better prepared you and your organization will be when May 2018 arrives.
GDPR and Brexit
For many businesses located in the UK, the question hasn’t been: “How should we prepare for the GDPR?” It’s been: “Do we even have to follow the GDPR?”
Brexit has left almost a quarter percentage of UK companies in preparation limbo, with many canceling their plans because they believe the GDPR no longer applies to the United Kingdom. In a recent survey, “24% [of IT decision makers at UK companies] are no longer preparing for the regulation. A further 4% have not even begun to prepare. Alarmingly, a massive 44% of those surveyed said they didn’t think the regulation will apply to UK business after Brexit,” reports this article from Information Age.
Do UK companies need to prepare for the GDPR? The answer is a resounding YES.
Despite the United Kingdom’s withdrawal from the EU, the GDPR will be enforced months before the UK finalizes their exit, making companies vulnerable to noncompliance fines and penalties. It’s also important for UK companies to be aware of how the GDPR works: even if they aren’t based in an EU member state, the GDPR applies to any company that processes the personal data of EU citizens.
Still not convinced? The Information Commissioner’s Office, an independent authority of the United Kingdom, states: “The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. We acknowledge that there may still be questions about how the GDPR would apply in the UK on leaving the EU, but this should not distract from the important task of compliance with the GDPR.”
If you’re a business in the United Kingdom, we encourage you to plan for compliance with the GDPR, regardless of Brexit politics … and regardless of whether the UK separates from the EU in 2018. Your bottom line will thank you.
GDPR Fines and Penalties
The GDPR was created to give EU citizens more control over their personal data. Based on this protection of incredibly sensitive information, fines and penalties for noncompliance are very steep—and not just monetary.
Companies that fail to meet the GDPR’s requirements could be hit with fines up to €20 million or 4% of global turnover, whichever is higher. Other costs may include the following: litigation, customer notification and compensation in the event of a data breach, damage to business reputation, and diminished share value.
How to Prepare for GDPR
Overwhelmed by all the GDPR requirements? Not sure what to do? You’re not alone. Many companies feel the same way, and many are at varying levels of preparedness, from “not at all” to “working on it.” But while making a plan for GDPR and implementing it won’t be easy, it can be done. Even with a looming deadline.
It’s never too late to start.
Unfortunately, we can’t tell you the exact steps you need to take to reach compliance. Each company has different focus areas and business practices they need to review, things we can’t anticipate in this post. But we can help point you, and your organization, in the right direction.
Here are a few key areas you should consider in your quest for GDPR compliance.
GDPR and the Cloud
If you have any data in the cloud, now is a good time to start analyzing your cloud policies and service providers to make sure everything complies with the GDPR’s regulations. What should you be looking for?
- A complete list of all the cloud applications you use; they should all be GDPR compliant
- A clear, complete, and audited access control policy from your cloud provider
- Encryption keys that you, not the cloud provider, manage
- Easy ways to export and move personal cloud data
- Mandatory/enforced secure passwords, secure networks, and security training
While this isn’t an extensive list, it’s an example of what you should consider for the cloud. Look closely at your current cloud provider; have they taken a strong stance on GDPR readiness? Are they preparing their products to help you meet regulation requirements?
So far, several cloud providers (like Microsoft and Google) have taken steps towards GDPR compliance. But if you’re using a provider who hasn’t, just remember: at the end of the day, you are responsible for your company’s compliance, even if your data is stored in the cloud. Make the choices that are right for you.
GDPR Compliant File Transfers
One simple way to meet several GDPR requirements is to secure your file transfers, both at rest and in transit, using a managed file transfer (MFT) solution. With MFT, you can eliminate the custom programming and scripting normally required for data transfers. MFT can also improve the quality and security of files you send in-house or to remote locations, trading partners, other businesses, or the cloud.
Our MFT solution, GoAnywhere Managed File Transfer, helps organizations meet GDPR requirements by providing an auditable product with secure file transfers, secure email, separation of permissions by user roles, and at rest encryption.
The benefits of using GoAnywhere for your compliance needs include (but aren’t limited to):
- Role-based administration and permissions
- Secure connections for transmitting sensitive data
- Strong encryption key management that you control
- Centralized control of file transfers
- Secure mail module for sending files using email with HTTPS download links
- Logging of all transfer activity, drastically simplifying the reporting burden during an audit
Want to see how GoAnywhere MFT addresses certain GDPR requirements? Request a live demo with one of our GoAnywhere specialists. We’ll walk you through the product and show you the features that correspond with specific GDPR standards.
