By Justin Fox, Digital PR Executive from distinctly.co
The EU’s General Data Protection Regulation (GDPR) will become the law across the EU on 25th May 2018. Consumer protection is at the heart of GDPR – it will unify data protection across the whole of the EU and this will impact any business which deals with the EU. If a business does not comply, there will be huge fines of up to 4% of global annual turnover.
Two main groups will be affected by GDPR:
‘Controllers’ of data – anyone who collects personal data
‘Processors’ of data – such as IT companies
Until now, customer data protection has been largely the responsibility of data controllers, yet from May this year, the processors are also going to be impacted.
The impact will be also be felt by businesses across the world if they work with the EU. The UK is included in the EU, as GDPR comes into force before any changes associated with Brexit.
The Financial Times contacted 20 of the largest software, financial technology, internet companies and social media companies with EU operations to see how they were dealing with the forthcoming impact of GDPR.
Tech companies are having to hire more staff and consultants to make sure that they comply with all the required GDPR regulations. Replying to The Financial Times’ investigation, Facebook said that initial compliance would cost several million dollars and Facebook Ireland’s data protection team would be growing by 250% alone to support the changes. Technology groups say GDPR could be one of the most expensive law change in the sector’s history.
2016 saw revenues of €59.5bn generated from data and it is seen as a fundamental part of the technology industry as the industry uses personal information for targeted advertising and product development. GDPR is going to change how this information can be collected and used.
How tech will change the way it handles data
GDPR is set to completely change the way international technology companies can collect, store and share the data of EU citizens:
Companies will have to ask for clear agreement from the consumer before using any of their personal information
GDPR allows a strict 72-hour deadline for identifying and reporting security breache.
Consumers will have a right to be forgotten and to change their mind about their initial consent. They could even request for the information to be deleted. This will cause problems for technology companies that share data and for the cloud service providers, which look after personal information for other companies. The consumer could potentially give the information to a rival.
Who will be worst affected by GDPR?
Cloud providers such as Google, Amazon, IBM and Microsoft will have to change, however Microsoft is seeing this as an opportunity with smaller companies using its cloud system to buy GDPR compliance.
Social media and other consumer-facing technology businesses will no longer be allowed to hide behind the failure to mention what is happening to the personal information they store and the previously popular pre-ticked boxes in the small print. Web designers will have to enlarge any small print and make everything clear and transparent to the customer to give them the power of choice and awareness of what is happening to their data.
The steps that you need to take to ensure GDPR compliance
Facebook are having urgent design meetings and hiring new staff just to deal with GDPR, but what can you do as a smaller company?
Track where your personal data goes through your business. This can be complicated, but it is easier to do this now rather than with a 72 hour data breach notification hanging over you
Hire a dedicated data protection officer if you have more than 250 employees
Take GDPR into consideration when taking on new data processing contracts
Secure a compliance guarantee from new suppliers to check their GDPR compliance status
Communicate with your suppliers to ensure their data is going to be protected
Investigate whether your insurance policies cover data protection and security breaches by suppliers
Be aware that dealing with suppliers of different sizes will be a challenge as you will need to take into account that smaller companies don’t have as many resources
Ensure that processes are in place to enable the organisation to satisfy the 72-hour breach notification requirement
The amount of work needed to get ready for May 2018 can seem daunting, but IT professionals who are well prepared can turn this into an opportunity for better quality suppliers and increased trust from your customers.
GDPR can be seen as the law catching up with the digital world. After all, it is unnerving to think of your personal data being shared without your knowledge.