GDPR bills itself as the toughest privacy and security law in the world. Any company that has customers, users, or data storage in the EU – no matter where they’re headquartered – has to comply with GDPR. For enterprise executives, IT professionals, and business users, this means knowing how GDPR impacts business practices and cybersecurity measures.
Being GDPR compliant doesn’t just protect you from costly fines. It helps your enterprise implement a better set of technology and security practices to protect sensitive data. Implementing GDPR-level security also helps prevent hacks and data breaches that often result in a damaged brand reputation.
Read on for an explanation of why GDPR exists, what it mandates, and how it affects businesses of all shapes and sizes.
The Truth Behind GDPR
If you read the GDPR line by line, you’ll find a lot of legal-ese about things like personal data rights and consumer protection. But the reason for GDPR’s existence boils down to one simple fact. Hackers have – and continue to – breach high-profile corporations, businesses, and governments. The truth is, without massive cyber-intrusions like the one that cost British Airways £183.4 million in fines, GDPR likely wouldn’t exist.
But GDPR goes far beyond penalizing companies that get hacked. The goal is to set a single standard for how all EU citizens’ data is collected, stored, and processed to protect those individuals. A political consulting firm in Italy was recently fined €50,000 for sharing confidential voter data with third-parties in a non-secure fashion.
“People’s personal data is just that – personal,” writes Elizabeth Denham, the UK’s Commissioner or Information. Denham’s statement was in response to British Airway’s careless practices that led to the 2018 data breach. “The law is clear,” she continues, “When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
Denham issues a stern warning to businesses that handle sensitive EU citizen data of any kind. Banks must now take extra caution with how they store and process credit card information. Hospitals need to take similar precautions with how private medical information gets shared and handled within the building.
Social media, digital advertising, and public services are other key industries impacted by GDPR.
At the end of the day, if your business collects, touches, or keeps data of EU citizens or customers, you’re at the mercy of GDPR.
GDPR’s Impact on Enterprises
Although GDPR affects sectors across the spectrum, there are common themes to how companies and brands will be impacted. Here are the three most critical areas that organizations to be aware of in relation to GDPR security and compliance.
1. Data Collection Methods
GDPR raises the bar significantly when it comes to how your company can legally collect private data from EU citizens. The law specifies that users must consent in “either a statement or a clear affirmative act.” Whether it’s filling out a form on your website or subscribing to an email list, businesses must make sure that there’s a clear opt-in for consumers. In most cases, GDPR also mandates that consumers then double-validate their consent in a separate email.
2. Internal Secure Communication
Once data has been collected, companies also need to take a hard look at how sensitive information is handled, processed, or communicated internally. This includes how internal staff and employees transmit sensitive data during the course of their normal work. For example, a nurse in one wing of a hospital may want to send a patient’s test results to a surgeon using the hospital’s own private messaging platform. You’ll need to ensure that those private channels are GDPR-compliant, using technology like end-to-end data encryption keys.
3. Human Resource Strategy
In many cases, sensitive information isn’t compromised because a hacker muscled their way into the system. Instead, it’s negligent employees who mishandle data – often unintentionally – that leave data exposed in violation of GDPR. Moreover, enterprise-scale businesses will likely have to appoint a Chief Data Protection Officer (DPO) per GDPR. These are two of the biggest ways that GDPR is likely to affect human resource operations within your business. You’ll need to conduct regular training to ensure your entire company is handling and protecting data in a GDPR-compliant fashion. And your DPO will be there to lead the strategy as well as liaise with regulatory bodies as needed.
It’s not if GDPR affects your company. It’s when.
It feels like regulators are just getting warmed up when it comes to enforcing GDPR compliance. This includes companies like British Airways that have highly-publicized breaches, as well as companies that are simply not collecting, storing, and handling data up to standards. The key is to make GDPR a priority from the C-Suite down to everyday employees and work hand-in-hand with IT experts to ensure your entire technology stack has as few vulnerabilities as possible.
It’s not if GDPR affects your company. It’s when. The sooner you get a handle on what GDPR is and how it applies to your business, the faster you can adjust your technology and business practices accordingly.