The law that governs how organizations use personal data is changing. Currently, the Data Protection Directive adopted in 1995 regulates the processing of personal data within the European Union, but the European General Data Protection Regulation (GDPR) will soon supersede this. It is thought that fewer than half of businesses are ready for the changes, so it pays to be aware of your responsibilities.
- What are the key changes?
Quite simply, the regulations are more stringent compared to the Data Protection Act.
As it stands, organizations must use personal data for the purpose for which it was collected, and it must be used lawfully. Previously, businesses could obtain consent from data subjects to use their data using opt-outs that need to be ‘unticked’ if a person objects to the organization using it. However, businesses now require positive consent from individuals to obtain or use their data.
Data subjects will also have the ‘right to be forgotten’, whereby they can ask for the complete deletion of any records that a company holds. It will also be free for individuals to make a Subject Access Request (SAR).
Any information that could potentially identify somebody, such as an IP address, is also covered by the regulations.
- What types of business are bound by the GDPR?
Any organization that controls or processes the data of EU citizens will be bound by the regulations. There are no exemptions — charities, not-for-profit organizations and the government are all bound by the rules in the same way as profit-seeking organizations.
Organizations with more than 250 staff will need to keep documentation on how data is being used and processed, and organizations that keep highly sensitive data or process large volumes will require a specialist Data Protection Officer (DPO) to ensure compliance.
- When will the regulations come into force?
The regulations were included in the EU Official Journal on the 24th of May 2016. However, there has been a two-year grace period to allow organizations to prepare, and they will be bound by the GDPR from the 25th May 2018.
- What happens in the event of a breach?
If a breach occurs, organizations will need to contact the supervisory authority within 72 hours. One where there were limits for fines pertaining to data protection breaches, those enforcing the regulation in Europe can levy fines of up to €10 million or two percent of annual turnover for small breaches. Serious breaches can be punished with a fine of €20 million or four percent of annual turnover.
This will extend to all EU countries with full implementation, and research suggests that fines for data protection breaches will be 79 times higher than previously. However, regulators have stated that they will not be looking to levy fines early; instead, they will be looking to help firms become compliant. However, we expect some clear “examples” be made to send a clear message to organizations that they must be compliant.
- How can DigitalStakeout help?
Businesses should realize that the GDPR is going to happen whether they are prepared or not, and ignorance of the new rules will not be seen as a defense in the event of a breach. Those who are prepared to introduce new working practices are those that will avoid the negative impact of any changes. There is no end date to GDPR. Compliance is a moving target and data will be constantly created and shared. DigitalStakeout can be your first line of digital asset identification and your last line of defense to assure protected data has not been exposed.
Digital Footprint Discovery
The DigitalStakeout platform enables you to discover and monitor your digital footprint across the surface web and social media. Discover corporate website assets, third-party co-branded digital properties and digital marketing assets so they can be inventoried and inspected for GDPR compliance.
DigitalStakeout’s data protection solution protects your organization by monitoring the surface web; social media, the deep web and the dark web for any evidence of data exposure or visible policy violations your GDPR program has established.
Threat monitoring with digital risk protection is an essential control that enables your organization to design an intervention strategy from the “outside view in” to protect customers from malicious brand attacks.