The new GDPR (General Data Protection Regulation) legislation, concerning the handling and storage of personal data, agreed by the European Commission on 27th April 2016, is set to come into force next May, following its implementation period. The legislation will replace the existing Data Protection Directive 95/46/EC with substantial changes, including significantly tougher penalties for non-compliance. This means that businesses don’t have much time left to get up to speed with GDPR and make the required changes to their data policies in order to avoid falling foul of the law.
Protection for businesses as well as consumers
The existing DPA dates back to the 90s, so given the way technology has progressed since then, certainly in terms of the way data is harvested, stored and manipulated, it’s very much due an update. Cybercrime, for instance, is a much bigger concern now for businesses and individuals alike than it was 20 years ago. You only have to look at some of the breaches at well-known companies making the headlines for all the wrong reasons.
Unfortunately, since cybercriminals view SMEs as softer targets, compared to their corporate counterparts (which usually have much more resources available to safeguard data and tackle cybercrime), SMEs will should be particularly careful to make sure they’re not in the firing line, especially given the bigger penalties coming in 2018. A lack of resources or ignorance will be no excuse.
Make changes or pay the price
One of the biggest changes coming will be in terms of ‘consent’. Companies now must keep records of how and when customers, or end-users, give consent for the acquisition, storage and usage of personal data. That now means ‘active agreement’. A tick-box isn’t enough. Companies must be able to show a full audit trail, including screen grabs or consent forms. Individuals will also be able to withdraw consent at any time and firms will need to show that all data was completely erased and not simply removed from a mailing list.
The new rules are equally stringent should a data breach occur. Firms must inform the relevant authorities within 72 hours and that submission must come with a proposal for mitigating any potential damage resulting from a data compromise.
Fines can be as much as 4% of annual global turnover or up to €20 million for the most serious infringements. Just having inconsistencies in your records could lead to a fine of 2%
How Office 365 could protect your business
For many, just preparing for the legislation will mean a full data audit, followed by a complete overhaul of all procedures concerning the collection, storage and management of personal data.
However, there are certain easy ways to protect your business. Office 365, for instance, comes with several features that can help with GDPR compliance. These include Data Loss Prevention (DLP), Advanced Data Governance and a customer lockbox – all designed to help businesses become fully GDPR compliant.
Microsoft is just one of the first to move to integrate features into its products to protect its business customers and others are sure to follow suit. So when it comes to reviewing your business processes in light of GDPR, it might be seen as an opportunity to update your IT infrastructure in line with the new legislation and the future goals of your business.