CTO Insights: The General Data Protection Regulation (GDPR) Is Coming, What Now?
Based on the incidents we saw in 2016, I recommend that organizations enter 2017 with caution. From the growth of Business Email Compromise (BEC) attacks to cybercriminals using more effective ways to exploit Internet of Things (IoT) devices, these security issues should serve as a reminder for businesses and individuals to be more vigilant. One of the most pressing matters that a lot of organizations need to pay attention to, however, is the forthcoming General Data Protection Regulation (GDPR). The new set of rules is designed to harmonize data protection across all EU member states and bring in a number of key components that will directly impact businesses-even businesses outside Europe.
What should you expect?
Much has been said about the GDPR, but what is the most realistic data protection design for organizations? This might be the one of the questions you need to ask yourself as a business. My answer to that would be only collect what you need to collect. How much personal information do you really need to collect? For example, a customer's birthday might not be pertinent to your business-so you must get rid of it. If you have an existing collection of data that is not needed to do business, then you need to redesign the database and forget other fields. During the transition period until May 2018, when GDPR will be in effect, organizations have to prepare to be compliant. Here are some of the common compliance issues your company could face:
Penalties and fines - the GDPR maintains that non-compliance or violations could cost companies up to 5% of global turnover, or €100 million, in penalties
Data Breach Notification - the new regulation will require companies to disclose data breaches within 21-72 hours
Right to erasure - to stress my statement earlier, only collect what you need to collect. This means companies have to delete personal data and any related links if they no longer find it accurate or relevant to the business
Right to information and transparency - customers should have the right to opt out and have a very clear understanding of what you do and how you store their personal data.