What is GDPR?In the age of the internet, privacy is a huge concern and when a data breach occurs personal information gets lost and even stolen. It's not always know where this information winds up, but it is almost always in the hands of someone with malicious intent. In 2017 we saw many data breaches, Equifax being one of the largest. So when these breeches occur, how can we keep companies accountable for losing such precious information?
The European Commission aims to answer this question with the General Data Protection Regulation. Better know as GDPR, the General Data Plan Regulation is a legal frame work that sets guidelines for the collection and processing of personal information of individuals living within the European Union.
The GDPR not only affects businesses that are located in the EU but all foreign companies that hold any data belonging to individuals that live within the EU as well. These companies must comply with the guidelines and ensure that an individuals personal and private information is stored with a high level of protection and must know exactly where this information is being kept.
The GDPR will officially go into effect on May 25, 2018.
Why is the GDPR being implemented?
Data breeches happen, and we've seen many major ones in the past few years. Yahoo! was hit in 2013 but the impact of the breech was not disclosed until this past year when it was revealed that all Yahoo! users had been affected. When these breeches occur, hackers can do catastrophic damage to an individual if they obtain, email addresses, birth dates, social security numbers, mailing addresses and bank account information.
When can companies process an individuals Data?
Under the new rules set by the GDRP below is the lawful basis for processing personal information:
Once the GDRP goes into effect, all organizations that process a large scale of data must appoint a Data Protection Officer, while smaller organizations must abide by the laws set by the GDPR legislation.
Listed under articles 33 and 34 of the GDPR, data controllers and processors are under legal obligation to notify the authorities within 72 hours of any breech that risk individuals rights and freedoms.
If any company fails to comply with the new regulations they are facing a hefty fine. Fines will vary depending on the severity of the data breech and how the company handled the aftermath. The maximum fine for failure to comply is $20 million euros or 4% of their annual profit, whichever is greater and the minimum is $10 million euros or 2% of their annual profit, whichever is greater.
The GDPR brings a huge benefit to citizens of the EU, notification of breeches as soon as this happen. This will allow individuals to quickly react to any threats they may face by hackers and proactively prevent any major damage that might occur to their personal information.
To prepare your company for the General Data Protection Regulation before May 25, 2018, visit the EU's GDPR home page for the complete legislation and guidelines.