How Will Businesses with Consumer Data Handle GDPR?
At a time when the use and misuse of personal digital data is in the headlines, and entire cities are being crippled by ransomware attacks, companies need to assess their storage systems and data handling—and strengthen their cybersecurity protocols.
An even greater reason for taking stock is the General Data Protection Regulation, which takes effect on May 25th. The GDPR is broad new European Union (EU) legislation designed to tighten the cybersecurity around personal data and modernize personal data handling.
Regardless of whether or not your business lives in the EU: if you sell goods in the EU, have a website there or collect protected data from EU residents, you are subject to the GDPR.
Here’s how Lexology.com explains which data is impacted:
“In short, the GDPR aims to protect the “personal data” of EU citizens—including how the data is collected, stored, processed and destroyed. The meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the U.S. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs.”
As global, data-rich businesses get tuned in to the looming GDPR start date, U.S. firms (large or small) with any data are still subject to its reach—and the time to get compliant is close, with the deadline of May 25th. That being said, Gartner’s research still concludes that approximately half of those businesses within the scope of the GDPR will still be noncompliant by the end of the year.
Not concerned? Well, violations of the GDPR can be as high as $28 million or 4% of global annual revenue—whichever is higher.
What Does GDPR Compliance Really Mean for Data Storage?
Basically, the GDPR mandates that companies cannot “process” personal data without the consent of the individual. The term “process” is defined broadly as “any operation or set of operations which is performed on personal data or on sets of personal data,” excluding those that are legally required. GDPR also requires that companies have policies and procedures in place, including designated personnel, for protecting and maintaining personal data.
More significantly, companies that suffer a data breach must notify authorities within 72 hours of discovering it—a relatively short window given the difficulties of detecting and determining the extent of data breaches. In addition, if the data breach results in “a high risk to the rights and freedoms of natural persons,” the company must notify the affected individuals “without undue delay.”
As is self-evident, much of the language of the GDPR is broad and open to interpretation. For example, it says that companies must provide a “reasonable” level of protection for personal data but doesn’t define what constitutes “reasonable.” This gives the GDPR governing body lots of leeway when it comes to assessing fines for data breaches and non-compliance. But it also gives companies incentive to provide the most protection possible against breaches and cyberattacks. CSOonline, when covering a recent RSA Data Privacy and Security Report, claimed that of “7,500 [surveyed] consumers in France, Germany, Italy the UK and the U.S., 62% […] said they would blame the company for their lost data in the event of a breach, instead of the hackers who stole the information.”
As might be expected, upgrading equipment and putting new processes in place will be costly for some. According to a PwC survey, 77 percent of businesses plan to spent at least $1 million or more to address GDPR. Nine percent anticipate spending over $10 million!
Start the preparation process early to avoid these costly problems. Here some critical steps a company can take to get ready for the May GDPR deadline:
- Perform an audit of your data. A review of your data—what it contains, where it comes from, how your company handles it—will identify areas that could cause problems complying with the GDPR. An inventory of personal data and how the business is protecting it is one of GDPR’s key compliance requirements.
- Review and update your privacy policies. Clear, transparent and easily accessible privacy information is required under GDPR. Your policy must include information on the rights of individuals to have their personal data erased, prevent its resale to third parties or to correct any inaccuracies.
- Prepare for ‘privacy by design’ and privacy impact assessments. GDPR requires companies to implement technical and organizational measures to demonstrate that a company has integrated data protection into its processing activities. This includes monitoring, reviewing and assessing your data processing procedures, building in data protection safeguards, and regular staff training.
Complying with GDPR will be a major hurdle for many companies, but in the long run the benefits will be worth it. Compliance means those businesses will be ahead of the curve in protecting data and instilling trust with your customers and clients, and be better protected not only against data breaches but from lawsuits that usually result from cyberattacks.
Download the report by Storage Switzerland LLC to find out how storage systems from RackTop integrate encryption into storage software to deliver GDPR compliant features without impact to user performance. As part of its security capabilities, RackTop provides auditing, immutability and full ransomware protection and recovery. Explore the report now to get in front of the GDPR starting today.