In an effort to strengthen the EU’s defence against data privacy breaches, the European Union launched the General Data Protection Regulation (GDPR) on May 25, 2018. GDPR is designed to replace the already dated Data Protection Directive 95/46/EC and harmonize all data privacy laws across Europe. The main focus of the GDPR “is to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
GDPR was received with mixed sentiments. Some organizations readily complied with its stringent regulations while others resisted. Although it has European roots, GDPR will have a global impact.
Is GDPR working?
The digital economy has a lot of inherent risks especially when it comes to a persons’ privacy rights. GDPR is designed to provide EU residents more control over the personal data they send over the internet. And it is supposed to make data protection requirements clearer for organizations. However, GDPR isn’t perfect and not everyone is fully compliant.
According to CipherCloud CEO Pravin Kothari:
There is no doubt that the responsible authorities will find many large enterprises with incomplete compliance and will seek to create examples by leveraging large and heretofore never seen unbelievably large compliance penalties.”
It’s not surprising to see data privacy breaches just months after GDPR was fully implemented. Below are two of them:
Last June 23, 2018, the month following GDPR’s implementation, Ticketmaster discovered that a malware attack on their third-party vendor leaked customer information (log-ins, names, addresses, card details, etc.) to hackers. Because of the potential seriousness of the breach, customers who had used Ticketmaster from September 2017 to June 2018 were alerted on June 27.
This puts Ticketmaster in a complex position. Under GDPR, companies must inform its customers and the ICO of a breach within 72 hours. Ticketmaster was a day late and is now facing a potential fine of 10 million euros or up to 2% of their annual turnover.
In what was described by the company as a “sophisticated” breach, hackers hacked into British Airways’ information systems between August 21 and September 5, 2018. The breach leaked as much as 400,000 customer credit card details, email addresses, and names. The compromised had affected British Airways’ website and mobile app.
Although customers were informed right away, British Airways received a backlash for the time it took them to discover the breach. It took them 2 weeks! Because of this, authorities and customers question the effectiveness and quality of British Airways’ internal detection processes.
Under the General Data Protection Regulation, British Airways now faces huge fines amounting to about 4% of their total annual revenue.
GDPR: A strong message
Although GDPR is far from being perfect (yet), its enforcement is sending a strong message to companies across the globe. The hefty fines — up to 4% of their annual worldwide turnover or 20 million euros, whichever is bigger — given to violators show how serious the EU is when it comes to protecting the data privacy of its citizens. And companies that fail to comply with its stringent regulations will surely pay a big price.
“GDPR puts very heavy demands on data controllers and data processors, but it also seeks a balance between the privacy of the individuals and interests of the data controllers and data processors. Maybe right now ensuring compliance may seem as an administrative and financial burden, but over time all involved parties will find an effective way how to comply with the requirements of GDPR and this compliance will become standard.”
– Reinis Papulis, Associate, KRONBERGS ČUKSTE DERLING
The role of HR tech in GDPR
The HR department is responsible for managing and protecting employee data. And with the implementation of GDPR, data privacy is becoming one of its main challenges. Modern HR tech, like CakeHR, is powered by the cloud where your employee data is stored in multiple servers in various locations. To make sure that your employee data is safe, it is important that you partner with an HR tech provider that’s 100% GDPR compliant and uses the latest encryption technology.
Aside from having the right HR technology in place, the HR is also responsible for educating all staff that handle data regarding the need for good data privacy practices. Since GDPR allows employees to withdraw their consent and be “forgotten”, the HR should also make sure that they have the necessary procedures for deleting employee data and verifying if all traces have been removed.
GDPR best practices
Because of its hefty fines, it’s futile for companies to turn a blind eye on GDPR. According to Matan Or-El, CEO and Cofounder of Panorays,
“Companies will have to institute a full strategic plan with standards, rules and procedures for securing data privacy and supply chains, and effectively demonstrate that they took all reasonable precautions to protect the personal information of their customers. Part of that plan should include informing the CEO and board of directors on an ongoing basis of advancements in achieving full GDPR compliance and reporting any possible pitfalls”
So, how do you make sure that your organization is GDPR-compliant? Read below:
1. Always encrypt your data
Data breaches will leave unencrypted information in the open. And anyone who knows how to read can access it. Moving to the cloud means that most of your business data is no longer hosted inside your premises. Instead, it’s being served from multiple locations. A breach in one of these locations can put your entire business at risk.
Although not mandatory under GDPR, encryption is one of the best ways to protect your data. There are two types of encryption:
- At -Rest Encryption – a data encryption service that protects data from the server-side and client-side.
- In-Transit Encryption – protects your data while it is moving or in transit.
Once your data is encrypted, you must make sure that only key individuals have the correct level of permissions to decrypt the data and access it.
2. Make sure you understand your compliance responsibility
Data security is a cooperation of all the parties involved in your business. And all responsible parties are bound under GDPR. Usually, there’s two: the data controller (those who outlines how data is collected and why) and the data processor (those who store or process the data collected).
GDPR defines the responsibility of each side. So, make sure you clearly understand yours.
3. Know your scope of compliance
GDPR regulates anything that is personally identifiable — names, addresses, emails, card details, IP addresses, internet cookies, and even social media posts! So, make sure that you are only storing data that is necessary for your business.
4. Always be proactive
Prevention is better than paying a hefty fine. GDPR compliance is not a one-time process. It’s an ongoing commitment from your company to protect the privacy of your employees. So, take a proactive approach in monitoring and detecting breaches and in making sure data is properly managed.
5. Create a security-first culture
GDPR will affect a much broader section of your business than just your IT department. Succeeding in GDPR requires not only technical excellence but also a shared understanding of the importance of data security.
Senior management can help promote a security-first culture by ensuring that safeguarding data privacy is at the forefront of every processes, practices, procedures, and methodology. Employees must be constantly trained with the latest technologies and techniques that they can apply.
Don’t move too fast without properly training your employees. This practice will help you avoid shortcuts and keep you from overlooking privacy best practices. Creating a security-first culture should be a priority for the HR.
Making your organization GDPR compliant takes a lot of hard work. Remember, it’s not a one-time process but a lifetime commitment to protecting your own privacy and that of your customers and employees. It’s all hands-on-deck when it comes to data privacy. You can’t afford to stand idly in a corner and watch the rest of the world fighting off hackers and cybercriminals.
The implications of GDPR can’t be ignored. Companies who are guilty of misusing personal information will face hefty fines up to 4% of their annual worldwide turnover or 20 million euros, whichever is bigger. That’s why employing the following GDPR best practices in your organization is crucial:
- Always encrypting data
- Having a full understanding of your compliance responsibility
- Knowing the extent of your compliance
- Being proactive
- Creating a security-first culture inside the organization