On May 25th, 2018, the General Data Protection Regulation (abbreviated at the GDPR) went into effect and become enforceable following its adoption by members of the European Union (EU) in April of 2016.
The GDPR represents the first major overhaul of data protection in the European Union since 2002. The reform is designed to give citizens of the EU much greater control over how their personal and financial information is collected by online businesses, and as a result of this, online businesses are required to adhere to strict mandates to ensure that this data is kept private and secure.
For example, under the GDPR, you must explicitly request permission from an EU citizen to collect specific data from them, and any business who’s activities revolve around professing of personal data, will have to seek the assistance of a DPO (data protection officer) to ensure that you remain in compliance with the GDPR. You also only have seventy two hours to report a data breach that threatens consumer privacy to an authority.
Violating the GDPR means that you can be fined wither 4% of your annual worldwide profit or twenty million pounds, whichever is greater. And while you may think that the GDPR doesn’t impact your business because you live outside of the European Union, so long as you work with customers or clients who live in the EU, you will have to make sure you are in compliance.
In other words, the GDPR is something that you need to take very seriously, and to be more specific, you need to know how it’s directly going to impact your cybersecurity plans as well. That’s exactly what we’re going to talk about today:
The Definition of Personal Data Has Changed
The first thing that you need to know about the GDPR is that the definition of personal data has changed.
‘Personal data’ already is a very broad term in and of itself, but most of the time, it’s used to prefer to personal and/or financial information that could disclose an online person’s identity.
However, under the GDPR, the term ‘personal data’ has been greatly expanded in terms of its definition, to say the least.
This is because under the GDPR, each and every one of the following now constitutes personal data:
- Phone Number
- Email Address
- Postal Code
- Driver’s License
- Bank Account Numbers and Information
- Credit and Debit Card Numbers
- IP Addresses
- Union Membership Numbers
- Workplace Information
You must explicitly obtain the consent of any EU member who you are doing business with in order to obtain any of that information. Furthermore, you must clearly clarify how the information is being used, and also grant the citizen the right to withdraw their consent at any time they desire.
Collecting Personal Data Is Now Much More Restrictive
The GDPR is incredibly restrictive in regards to collecting personal information like was outlined above. And as we just discussed, you must obtain the explicit consent of the customer or client before you can take any of that information from them, in addition to allowing them to withdraw consent at any time.
But the real reason why personal data collection is now much more restrictive under the GDPR is because ‘obtaining explicit consent’ means that the only way to obtain it is through affirmative and unambiguous language.
In other words, you can’t just send the user a list of terms that they can either choose to agree or not agree to. Instead, you need to explicitly ask them for each piece of information that you request, and you must also clearly indicate how that information will be used. You will not be allowed to use any personal information from a customer or a client for marketing.
You Must Fully Assess and Report Any and All Security Risks
As was mentioned in the introduction, you must constantly monitor and then report any and all data breaches within seventy two hours of the data breach occurring to a supervising authority.
Examples of specific steps that you can take to monitor your data include performing routine checks on your framework, so you can identify which areas are the most vulnerable to security breaches, whether they be email threads or social media or website traffic.
You Should Adopt A Multi-Layered Approach To Cybersecurity
While you may believe that you can keep every piece of your office equipment connected to the internet secured and protected with a high quality firewall, the truth is that firewall software is not an adequate defense on its own to guard against threats to your customer personal data.
Instead, you need to adopt a more multi-layered approach to your cybersecurity. Having firewall protection is obviously great, but you will also need to invest in encryption technology, automate your manual processing, and reinforce file transfer safety to name a few things.
A DPO Will Keep You In Compliance
Under the current rules of the GDPR, data protection can really be divided into two halves.
The first is the data protection from the controller, or a business owner who obtains personal information from the customer.
The second is the employees of your business who are responsible for executing directives using that information.
The problem, is that the vast majority of business owners and employees don’t know how to be in compliance with the GDPR. This is exactly why many more businesses are hiring a DPO (data protection officer) to educate you and your employees, provide accountability, and ensure that all parameters are followed.
You Should Streamline Data Management Across Endpoints
Last but not least, you should streamline your data management across your endpoints because having several connected devices will only greatly increase the odds of having your data hacked.
To do this, you simply need to ensure that all network access endpoints are connected to a consolidated entry dashboard. This will also IT teams to more easily supervise your data flow and control who can and who can’t move through an endpoint, thereby minimizing the risk of outside threats.
Hopefully with the information in this article you now have a more clear view of how the GDPR works and specifically how it will impact your cybersecurity strategy.
As a result of the GDPR, obtaining and protecting the specific personal data of your European Union customers will become a much bigger priority for you than it was before, and it’s important to have the right security solutions in place to keep that data secure.