All firms providing services to European citizens and collecting their data must prepare for new Europe’s data privacy rules.
European General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
From this date, companies operating anywhere in the world and providing services to European markets will have to be transparent about how they collect, store and process the personal information of EU citizens. Consumers will have the right to ask for copies of information companies hold about them and request that their data are deleted from business databases.
Below is a brief compilation of rules under GDPR:
However, a survey by Solix Technologies conducted in Q4 2017 among IT companies found out that half of organizations across the EU and the US are unaware of the new Europe’s data privacy rules.
Key findings from the survey:
- 65% of organizations are unsure if an individual’s personal information is purged from all systems, forever.
- 22% of organizations are unaware that they must comply with GDPR, even if they are based outside of the European Union (EU), but hold data of EU citizens.
- 38% of organizations say that all their personal data under the new GDPR rules is not protected from misuse and unauthorized access at every stage in its lifecycle.
- More than half (64%) of organizations do not have a Data Protection Officer (DPO).
- While 82% of organizations say they know where their sensitive data is stored, only 55% maintain audit trails for data consents, collections updates, and deletion.
- 53% of organizations are not confident that processing of all personal data is based on explicit permission provided by the individual.
- 65% of organizations are not confident that their GDPR data will stay within the EU.
“Based on our survey data, it’s clear that the majority of organizations are not currently prepared to meet GDPR requirements. There is an urgency to take steps now, as the enforcement deadline quickly approaches and applies to anyone who is currently operating with EU customers.”
– John Ottman, Executive Chairman of Solix Technologies, Inc.
As The Financial Times informs, the UK Information Commissioner’s Office is going to hire more staff in preparation for GDPR. So far it has added 65 full-time staff to the 430 already working for it, but it is planning to recruit at least another 166 by 2019.
To prepare for GDPR, additional staff may be needed for other bigger companies too. Cyber security experts warn that companies must do proper data housekeeping to comply with the new norms. Find out what data you are collecting and where it is stored, and get rid of any personal data that you no longer need. This may concern not only customer personal data, but also all the personal references to staff in metadata that will have to be removed from the company’s history.
Erika Morphy suggests you check the following data that fall under the regulation:
- unstructured data in word documents, pdf files and images of account statements, checks and invoices
- personal references in social media posts and other informal communications
- click streams, search and browsing history in cases when people search for personal information, like home address or phone number, and label it as such
- personal data regarding location or consumption of services (e.g. in water or gas meters documents)
- sales prospects data, etc.
In short, companies must ensure that they do not collect and store personal information unless customers express consent or data have been fully anonymised at the source of collection. Fines for breaching GDPR could reach €20m or 4 per cent of a company’s turnover, depending which is higher.
The question remains as to whether it will be possible at all to redesign all websites, microsites, apps and IoT systems that set up tracking of personal data in different geographical areas and jurisdictions. And what shall be done with customer data in website backups?
Image: Flickr, Dennis van der Heijden, CC 2.0
Thanks!
Our editors are notified.