Posted October 31, 2017
In May 25, 2018, the new General Data Protection Regulation (GDPR) will become binding law, affecting thousands of companies inside the EU and around the world. Whilst this law contains many protections for citizens’ privacy, it puts a significant burden on companies to become complaint and threatens harsh fines for any data leaks. Since such a penalty could spell bankruptcy for many small and medium businesses, the law has led to a lot of fear and confusion in the business community. In this blog post, I’ll give a short overview of the most important things that you need to know when it comes to the GDPR.
Who is Affected?
In general, every company that handles private data of EU citizens as part of their business operations is subject to the law, whether inside or outside the EU. This includes small and medium businesses just as much as giants like Facebook or Google. Moreover, whilst third parties that offered data collection and storage services (‘data processors’) were previously not liable for their mishaps whilst acting on behalf of other companies, they are just as accountable as their clients under the new regulation. Thus marketing companies, recruitment agencies, server hosts and similar businesses will also have to comply with the new regulation. Moreover, the GDPR does not only apply to company-customer relationships, but also to business-to-business, as both are seen as interactions between individuals under the law. Therefore, any data and information exchange that features personal data is subject to the GDPR.
What Is Considered Personal Data?
Personal data is any information that can be used to personally identify an individual, such as name, a photo, an email address, bank details, posts on social networking sites, location details, or IP addresses. Furthermore, particularly sensitive information such as religion, sexual orientation, family status, ethnicity, political affiliation and medical information are given greater protection under the law and carry a harsher punishment when collected, shared and stored without consent or legitimate reason. No distinction is made between personal data about individuals in their private, public or professional lives.
Rights and Obligations
Any individual (a ‘data subject’ in regulatory jargon) has several rights when it comes to his or her private data. Since rights cannot be given without a matching obligation, the following list is also a series of duties your company needs to perform under the new law:
  1. Consent Has To Be Given: Any processing of personal information by a business can only be carried out if the data subject has given a specific, informed and unambiguous indication of consent either by a statement or a clear ‘affirmative action’.
  2. Right to Access: Individuals can access their personal data and request what information is collected about them and for what purposes. The company has to provide them with a copy of this information when requested, free of charge.
  3. Right to Be Forgotten: If individuals are no longer a customer of the company or withdraw their consent from a company to use their personal data, the company has to delete the information (with some exceptions.)
  4.  Data Portability: Individuals have the right to transfer their data from one service provider to another (e.g. mobile carriers) in a commonly used and machine readable format.
  5. Right To Be Informed: Individuals have to be informed before any data gathering takes place. Consumers have to opt in for any new or further data collection on them. Consent must be freely and explicitly given and not implied. Legalese is actively deterred.
  6.  Right to Correct Information: Consumers can have their data updated or corrected if requested.
  7. Right to Restrict Processing: Consumers can allow data storage but prevent processing (e.g. marketing, customer analysis).
  8. Right to Object: Consumers can object to any use of their data (e.g. Direct Marketing). This right has to be made clear to the customer at the start of any communication. Any objection is binding and immediately applicable.
  9. Breach Notification: If an individual’s data is compromised as a result of a data breach, the individual has to be informed within 72 hours of the company having become aware of the breach.
Given all these new consumer rights, companies will have to radically change their approach towards personal data.
Analysing the Obligations
First and foremost, the GDPR is NOT just an IT department issue. It implies wide-ranging changes for the whole company and how it conducts business. This includes keeping records on any customer communications and explicit records that show how and when customers have given consent to data collection. Any company has to be able to prove that the customer explicitly agreed to a certain action (e.g. receiving a newsletter). Data needs to have time stamps and audit trails that allows for accurate reporting.
So who’s going to oversee all these changes? The new law outlines that organisations must appoint a Data Protection Officer in charge of GDPR compliance who has to communicate with the Local Data Protection Agency (i.e. when reporting data breaches) and is considered an “independent assessor” similar to an ombudsman. The DPO has to conduct regular “privacy and data impact assessments” and a variety of controlling tasks.
What Are the Fines?
The law outlines penalties in excess of 4% annual turnover or €20 million (whichever is greater) for organisations that are non-compliant with the regulation. Although these are maximum fines only imposed for serious offences, be aware that lacking customer consent for data processing or violating the core of the “Privacy by Design” concept are considered serious offences.
How to Prepare?
There are a lot of business operations that have to be changed where Cyberlight cannot help you, such as how to conduct marketing whilst being GDPR compliant or how to adopt proper communication and data collection procedures. However, data and information security are a vital part of the GDPR and adopting a “Privacy by Design” attitude in an organisation can significantly reduce the administrative burden on companies.
Encryption and anonymisation of personal data can prevent major headaches for businesses, as these mitigate the risk of being liable for major data breaches under the GDPR. Moreover, Article 32 of the regulation delineates that businesses which implement “appropriate and technical and organizational measures” for data storage and processing have less stringent obligations when it comes to notification or reporting.
When it comes to this aspect of the GDPR, we are happy to help you get ready for May 2018. Our goal is to make companies more secure and protect individual privacy, whilst also preventing businesses from being crippled by bureaucracy.
Co-founder, social engineering specialist and amateur philosopher.

Leave a Reply

Your email address will not be published.

Scroll to top