21
GDPR
21
By Nigel Crockford , Business Development Manager , eSpida
www . espida . co . uk
How the regulation will impact multinational businesses and how they must prepare themselves
Benjamin Franklin once said , “ By failing to prepare , you are preparing to fail .” This statement will ring especially true for multinational businesses in the coming months as the GDPR comes into force across the European Union . By uniting 28 different EU member state laws under one data protection law , GDPR is set to harmonise data protection laws throughout the EU giving greater rights to individuals .
Taking effect on 25 May 2018 , every business will need to alter their existing procedures to ensure the correct mechanisms to comply with GDPR are in place . Failure to comply with the regulation will result in costly penalties of 4 % of global annual turnover or € 20 million , whichever value is greater . Non-compliant businesses could also be faced with bans or suspensions on processing data , in addition to the risk of class actions and criminal sanctions .
GDPR and multinationals To enforce the regulation , each country will have its own national data protection act ( DPA ) regulator that will oversee and manage any breaches . Businesses operating in multiple EU countries have frequently asked since the announcement of GDPR , how an authority will be chosen to enforce action if found non-compliant with the regulation , or if an authority from each EU affiliate would take action .
If a business has conducted non-compliant cross-border data processing activities , only one national DPA regulator must act on the complaint . For instances where a business ’ data controller operates in multiple EU countries , the DPA regulator that will take action must be located in the same country as the organisation ’ s main establishment , or where it ’ s central administration takes place .
Non-EU affiliates of a multinational business will also be impacted by the GDPR , depending on whether the data is accessible from one central system to affiliates across the globe . Companies operating on this scale will need to have a clear understanding of how data flows in the company to ensure that cross-border data transfers are compliant . This is just one example of how GDPR is introducing formal processes for issues not previously covered by the DPA . Another area that the ruling focuses on is when a data breach occurs .
In 2016 , it was revealed that Yahoo had suffered a cyberattack that resulted in three billion users having their account details leaked . What was appalling to the public , however , was that the attack had taken place three years prior to the incident being reported . Unfortunately , this is not an isolated incident . In 2017 , Uber revealed that data of its users had been held to ransom by hackers in 2016 , prompting a similar backlash to the Yahoo breach .
Under GDPR , companies are required to report a breach within 72 hours of its discovery . This includes notifying the country ’ s DPA regulator , which in the UK is the Information Commissioner ’ s Office ( ICO ), and the people it impacts . Businesses should also consider taking additional steps to
avoid the detrimental impact cyber breaches can have on its employees and customers .
Preparing to succeed Identity management is just one example that allows companies to restrict access to certain resources within a system . Identity management can define what users can accomplish on the network depending on varying factors including the person ’ s location and device type .
With the rise in cloud computing among businesses , extra measures should also be taken to safeguard this data . A survey found that 41 % of businesses were using the public cloud for their work , with 38 % on a private cloud network . By implementing security measures like encryption software , businesses can prevent unauthorised access to digital information .
Taking these precautionary steps is necessary for businesses with more than 250 employees . This is because a business of this size , following the introduction of GDPR , must detail what information they are collecting and processing . This includes how long the information will be stored for and what technical security measures are in place to safeguard the information .
In addition to identity management and encryption software , businesses can also consider various other security tools for their systems , including anti-ransomware , exploit prevention and access management . Another notable change for companies that have regular and systematic monitoring of individual data , or process a vast amount of sensitive personal data , is that they will now be required to employ a data protection officer ( DPO ). Sensitive data refers to genetic data and any personal information such as religious and political views .
The impact of GDPR GDPR will have a wide-ranging impact on multinational businesses . Although some may be more prepared than others , each business ’ status in complying with GDPR is different , with no one solution suiting all . It ’ s fair to say that the GDPR is the most meaningful change in data privacy law since it was first established over twenty years ago . Despite it currently only being enforced in the EU , many believe this will spark a revolution across the globe for the protection of data for individuals .
Businesses must prioritise updating their current systems to ensure their processing policies are compliant with the GDPR . Depending on the current position of a business , some may need more preparation than others . For example , not every business will be required to employ a DPO , but others may need to reorganise its HR team to help enforce GDPR compliance across a company . With May just around the corner , businesses that haven ’ t already started preparing need to act now to avoid financial punishments and reputation repercussions . n
www . networkseuropemagazine . com