[BreachExchange] GDPR is coming this May: How should your business prepare?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 23 19:23:01 EST 2018


The EU’s General Data Protection Regulation (GDPR) will become the law
across the EU on 25th May 2018. Consumer protection is at the heart of GDPR
– it will unify data protection across the whole of the EU and this will
impact any business which deals with the EU. If a business does not comply,
there will be huge fines of up to 4% of global annual turnover.

Two main groups will be affected by GDPR:

1. ‘Controllers’ of data – anyone who collects personal data

2. ‘Processors’ of data – such as IT companies

Until now, customer data protection has been largely the responsibility of
data controllers, yet from May this year, the processors are also going to
be impacted.

The impact will be also be felt by businesses across the world if they work
with the EU. The UK is included in the EU, as GDPR comes into force before
any changes associated with Brexit.

The Financial Times contacted 20 of the largest software, financial
technology, internet companies and social media companies with EU
operations to see how they were dealing with the forthcoming impact of GDPR.

Tech companies are having to hire more staff and consultants to make sure
that they comply with all the required GDPR regulations. Replying to The
Financial Times’ investigation, Facebook said that initial compliance would
cost several million dollars and Facebook Ireland’s data protection team
would be growing by 250% alone to support the changes. Technology groups
say GDPR could be one of the most expensive law change in the sector’s

2016 saw revenues of €59.5bn generated from data and it is seen as a
fundamental part of the technology industry as the industry uses personal
information for targeted advertising and product development. GDPR is going
to change how this information can be collected and used.

How tech will change the way it handles data

GDPR is set to completely change the way international technology companies
can collect, store and share the data of EU citizens:

- Companies will have to ask for clear agreement from the consumer before
using any of their personal information

- GDPR allows a strict 72-hour deadline for identifying and reporting
security breach.

- Consumers will have a right to be forgotten and to change their mind
about their initial consent. They could even request for the information to
be deleted. This will cause problems for technology companies that share
data and for the cloud service providers, which look after personal
information for other companies. The consumer could potentially give the
information to a rival.

Who will be worst affected by GDPR?

Cloud providers such as Google, Amazon, IBM and Microsoft will have to
change, however Microsoft is seeing this as an opportunity with smaller
companies using its cloud system to buy GDPR compliance.

Social media and other consumer-facing technology businesses will no longer
be allowed to hide behind the failure to mention what is happening to the
personal information they store and the previously popular pre-ticked boxes
in the small print. Web designers will have to enlarge any small print and
make everything clear and transparent to the customer to give them the
power of choice and awareness of what is happening to their data.

The steps that you need to take to ensure GDPR compliance

Facebook are having urgent design meetings and hiring new staff just to
deal with GDPR, but what can you do as a smaller company?

- Track where your personal data goes through your business. This can be
complicated, but it is easier to do this now rather than with a 72 hour
data breach notification hanging over you

- Hire a dedicated data protection officer if you have more than 250

- Take GDPR into consideration when taking on new data processing contracts

- Secure a compliance guarantee from new suppliers to check their GDPR
compliance status

- Communicate with your suppliers to ensure their data is going to be

- Investigate whether your insurance policies cover data protection and
security breaches by suppliers

- Be aware that dealing with suppliers of different sizes will be a
challenge as you will need to take into account that smaller companies
don’t have as many resources

- Ensure that processes are in place to enable the organisation to satisfy
the 72-hour breach notification requirement

The amount of work needed to get ready for May 2018 can seem daunting, but
IT professionals who are well prepared can turn this into an opportunity
for better quality suppliers and increased trust from your customers.

GDPR can be seen as the law catching up with the digital world. After all,
it is unnerving to think of your personal data being shared without your
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180123/a6e66990/attachment.html>

More information about the BreachExchange mailing list