Many businesses are yet to understand the sheer scale and breadth of changes their company data processing policies will need to undergo to comply with the general data protection regulation (GDPR). Here, Nigel Crockford, Business Development Manager at IT consultancy eSpida, explains how the regulation will impact multinational businesses — and how they must prepare themselves.
Benjamin Franklin once said, “By failing to prepare, you are preparing to fail”. This statement will ring especially true for multinational businesses in the coming months as the GDPR comes into force across the European Union (EU).
By uniting 28 different EU member state laws under one data protection law, GDPR is set to harmonise data protection laws throughout the EU, giving greater rights to individuals.
Taking effect as of May 25, 2018, every business will need to alter their existing procedures to ensure the correct mechanisms to comply with GDPR are in place. Failure to comply with the regulation will result in costly penalties of four per cent of global annual turnover or €20 million, whichever value is greater.
Non-compliant businesses could also be faced with bans or suspensions on processing data, in addition to the risk of class actions and criminal sanctions.
GDPR and multinationals
To enforce the regulation, each country will have its own national data protection act (DPA) regulator that will oversee and manage any breaches. Businesses operating in multiple EU countries have frequently asked since the announcement of GDPR, how an authority will be chosen to enforce action if found non-compliant with the regulation, or if an authority from each EU affiliate would take action.
If a business has conducted non-compliant cross-border data processing activities, only one national DPA regulator must act on the complaint. For instances where a business’ data controller operates in multiple EU countries, the DPA regulator that will take action must be located in the same country as the organisation’s main establishment, or where it’s central administration takes place.
Non-EU affiliates of a multinational business will also be impacted by the GDPR, depending on whether the data is accessible from one central system to affiliates across the globe. Companies operating on this scale will need to have a clear understanding of how data flows in the company to ensure that cross-border data transfers are compliant.
This is just one example of how GDPR is introducing formal processes for issues not previously covered by the DPA. Another area that the ruling focusses on is when a data breach occurs.
In 2016, it was revealed that Yahoo had suffered a cyberattack that resulted in three billion users having their account details leaked. What was appalling to the public, however, was that the attack had taken place three years prior to the incident being reported.
Unfortunately, this is not an isolated incident. In 2017, Uber revealed that data of its users had been held to ransom by hackers in 2016, prompting similar backlash to the Yahoo breach.
Under GDPR, companies are required to report a breach within 72 hours of its discovery. This includes notifying the country’s DPA regulator, which in the UK is the Information Commissioner’s Office (ICO), and the people it impacts. Businesses should also consider taking additional steps to avoid the detrimental impact cyber breaches can have on its employees and customers.
Preparing to succeed
Identity management is just one example that allows companies to restrict access to certain resources within a system. Identity management can define what users can accomplish on the network depending on varying factors including the person’s location and device type.
With the rise in cloud computing among businesses, extra measures should also be taken to safeguard this data. A survey found that 41 per cent of businesses were using the public cloud for their work, with 38 per cent on a private cloud network. By implementing security measures like encryption software, businesses can prevent unauthorised access to digital information.
Taking these precautionary steps is necessary for businesses with more than 250 employees. This is because a business of this size, following the introduction of GDPR, must detail what information they are collecting and processing. This includes how long the information will be stored for and what technical security measures are in place to safeguard the information.
In addition to identity management and encryption software, businesses can also consider various other security tools for their systems, including anti-ransomware, exploit prevention and access management.
Another notable change for companies that have regular and systematic monitoring of individual data, or process a vast amount of sensitive personal data, is that they will now be required to employ a data protection officer (DPO). Sensitive data refers to genetic data and any personal information such as religious and political views.
GDPR will have a wide-ranging impact on multinational businesses. Although some may be more prepared than others, each business’ status in complying with GDPR is different, with no one solution suiting all. By investing in GDPR compliance specialists like eSpida, businesses can avoid costly fines because of discrepancies with the regulation.
It’s fair to say that the GDPR is the most meaningful change in data privacy law since it was first established over twenty years ago. Despite it currently only being enforced in the EU, many believe this will spark a revolution across the globe for the protection of data for individuals.
Businesses must prioritise updating their current systems to ensure their processing policies are compliant with the GDPR. Depending on the current position of a business, some may need more preparation than others. For example, not every business will be required to employ a DPO, but others may need to reorganise its HR team to help enforce GDPR compliance across a company.
With May just around the corner, businesses who have not already started preparing need to act now to avoid financial punishments and reputation repercussions.