By Editor
Enforcement of General Data
Protection Regulation (GPDR) is now just few months away. The media
have intensively examined and written about this topic from practically every
angle since it became legislation. Businesses continue to struggle with both
understanding and implementation of what they need to do to be compliant.
WeLiveSecurity sat down with ESET’s Global Security
Evangelist, Tony Anscombe, to better understand the essentials of GDPR .
GDPR comes into force on May 25, 2018. What do you
expect to see happening the most – companies making sure they are compliant or
companies delaying development of an action plan?
Speaking at multiple conferences this year – both
in Europe and outside, I have witnessed the same issue everywhere: businesses
all over the world are unsure of how GDPR will actually work in practice. They
do not understand the requirements in detail, do not know if all of them are
applicable to their businesses, and they do not understand either the key Data
Subject Rights, or the role personal data will play in this regulation.
An understanding of all of these seems
critical to meeting the requirements of GDPR once it comes into force. If you
manage a business, are the remaining seven months long enough to define what
your company needs to do in order to comply?
Well, you can get a lot done in seven months. The
majority of European businesses within the European Union (EU) have been
compliant with the previous Data Protection legislation, such as Directive 95/46/EC, since 1995. Some of the EU countries
implemented local legislation beyond this directive, adding further
requirements to give citizens additional protection. For many it is a matter of
applying the same principles with greater precision so as to comply with the
new requirements that GDPR has added.
Being ‘close’ to compliant can still result in
fines of thousands, maybe millions, of euro. What have you seen companies do to
accelerate their preparedness for GDPR and what do you think they should be
doing?
“They need to understand
there is no general approach applicable to all companies.”
First, I would recommend that businesses have a
privacy professional explain the basic requirements of GDPR in relation to
their businesses. They need to understand there is no general approach
applicable to all companies. In particular, they need to understand that the
critical part of being compliant is based on what type of personal data the
organization is working with, how the information is being collected and
processed, and finally, where and how the same information is being stored,
they are all key to meeting GDPR requirements. This is a very good starting
point for the next steps, such as the creation of a personal data inventory.
Once the inventory is created, data will need to be
categorized for all the data types you are both collecting and processing,
including data coming from citizens of the European Union. It’s incredibly
important to note that if you are a company not based in the EU, for example a
company based in the USA, you must recognize the requirement to comply with
GDPR if you are doing business with EU citizens.
With all the options given to us by online
shopping, for example, almost every business selling to the European Union
needs to comply. That makes for a long list of businesses doesn’t it?
Yes, you are right (laugh). Any company that sells
or provides goods or services to European citizens and collects data needs to
comply. That is true whether they have an office or legal entity in the EU or
not. There are questions about how the EU will enforce or impose fines relating
to non-compliance on companies not located in the EU but I am sure they will
move quickly to make examples of companies not in compliance to encourage
others to comply.
Are there any exceptions? Can I be just selling my
handmade soaps to people in EU without being compliant?
Yes and No. GDPR is a requirement for all
companies, regardless of size. If you are selling directly through your own
website then you need to comply. However if you sell through a general online
store such as Amazon and you are only providing goods to Amazon which is then
responsible for fulfilling and shipping the order, then you may not need to
comply. If a company has over 250 employees or its business transactions are
based on the handling of personal data, then it requires to employ a data
protection officer. The maximum fine for non-compliance is 20 million euro or
up to 4 percent of a company’s annual global turnover, which is – for any
company – a high number.
While this may sound daunting and the consequences
of non-compliance are significant, it’s considered unlikely that regulators
will make an example of small businesses that can demonstrate they have a plan
and have attempted to comply fully with requirements. It is more likely that
the regulator will work with these companies on the additional steps needed to
achieve full compliance.
What else can businesses do to make sure they step
into the new era of protecting personal data?
I strongly recommend that companies engage the
services of a privacy professional, and provide training to their employees
focused on instituting a proper plan on how to store and protect data, and that
it encompasses the entire company. One of the key requirements is to deploy an
encryption solution with access controls, protecting data everywhere you go –
even for employees not located on the businesses’ main premises.
Are you still nervous about being non-compliant
with GDPR? Don’t worry, there is still enough time to demonstrate that your
company is taking the right steps to protect personal data and learn the core
skills needed for surviving the new age of data protection.
___________________
For more information on the General Data Protection
Regulation, ESET has a dedicated page to help ensure that you have
everything covered before 25 May 2018 .