Any data relating to an individual is covered

– whether public or private. And medium is irrelevant. The only exceptions are for some data relating to your own employees.

Businesses must select a ‘one-stop shop’ in the EU to act as their Supervisory Authority. Businesses are expected to give notice of retention time, and provide contact info for their data controller and Data Protection Officer.

You must obtain explicit consent from individuals if you want to use their data. For every purpose you want to use it for. And your Data Protection Officer must be able to prove that consent if asked.

In keeping with earlier EU conventions, those using data are segmented into controllers (those who gather and store the data) and processors (those who analyse and otherwise leverage it.) Under GDPR, processors must follow the same rules as controllers. That means you’ll have to be very, very careful about what apps you

use – and where they store and house their data to avoid data leaving the EU without proper oversight.

Some vendors (like Microsoft) are leading the charge in this area by establishing data centres in the EU, giving users the option to never have their data leave the Union. However, this will still be the responsibility

of individual users and enterprises. And getting it wrong will cost a lot.

Most important to you is the cost of not playing ball. Depending on the violation, you could pay anything up to 4% of your company’s annual turnover in fines.

Your company will also face the administrative burden of hiring a Data Protection Officer to oversee compliance if you regularly and systematically process data.

Over 28,000 DPOs (Data Protection Officers) must be created in the EU alone – with many more also needed in overseas companies trading in or with the EU.1 Although there’s no clear guidance on which companies must appoint them, earlier drafts of the regulations specified any company processing data of 5,000 individuals in a year. The law now refers to any company that ‘systematically’ processes personal data.

Companies will have to get used to their customers running the show when it comes to data. Even deleting personal data without notifying a subject can constitute a violation.

Gartner estimates that by the time GDPR activates, over 50% of the companies affected will not be fully compliant.²

GDPR has the potential to save businesses as much as €2.3bn a year by removing
a complex web of national laws and disconnected regulations.³

What’s more, 90% of the EU’s population (i.e. your customers) are in favour of it.⁴

Compliance will cost you – but noncompliance will cost you more.

Violating regulations on data governance, storage, and usage – and failing to answer requests - means a fine of up to €10,000,000 or 2% of your last year’s turnover.⁵

Violating regulations on acquiring consent, failing to observe the rights of data subjects, or illegally transferring data to centres outside of the EU means a fine of up to €20,000,000 or 4% of turnover.⁶

Complying means recruiting a Data Protection Officer if you regularly and systematically handle individual data.⁷ 

GDPR Board Level Infographic

Data Protection Officers can be internally hired or can be an outside contractor retained ‘as a service’. You’ll almost certainly need one even if you maintain so much as an emailing list.

The DPO’s job is to ensure the compliance of your data controllers and processors. But they won’t be directly involved in
the process of building your compliance capability and culture. That will be a job for

other senior team members.

Your DPO will need a platform in the business to co-operate with both IT and security leaders. Between them, they’ll be vital in training the rest of your teams to understand and follow the new rules.

All breaches involving personal data must be reported to your Supervising Authority within 72 hours. Anyone whose sensitive data is deemed to be at risk must also be notified.⁸

Right now, 32% of companies report losing data in breaches⁹, and the average company will experience around 100 cyber attacks in a year¹⁰. What’s more worrying is that only 25% of companies report having experienced an attack¹¹ – which means you’ve probably experienced multiple breaches without even realising it.

Only 5% of FTSE companies currently have cyber security expertise at board level.

Companies are increasingly conscious of the need to fill this gap – according to IDG, only 60% of UK businesses believe they currently have the people and processes they need to be compliant with GDPR. That means an already scarce talent pool is rapidly evaporating.

Start looking now – and make sure you have the right partners in place to help train and support the people you do have. Avoiding loss of face (not to mention loss of funds) will now be a matter of both compliance, selecting the right security solutions, and evolving your company’s culture.

Get used to collecting data in a way people can understand... and get ready to re-format or throw out what you currently have.

Data storage lifecycles must be declared under GDPR, so it’s highly likely that your older records will be invalid.¹⁵

What’s more, customers can ask to see what data you hold on them. And ask for it to be moved somewhere else at any time¹⁶. It needs to be stored in a common format that’s easy to read.

You’ll probably have to set up an initial project to audit your current data-gathering activities – working with your DPO (if your company already has one) to work out what is and isn’t acceptable under the new regime.

If you don’t, you’re already in violation. And since you’ll be expected to prove consent on demand, that might cost you.¹⁷

This means that a full assessment of your data storage will be essential before May 25th 2018. You should pay particular attention to your cloud storage and software solutions, as these could be more vulnerable to breach and may be harder to make compliant.

This is your problem now.

72-hour breach reporting requirements mean a lot more pressure will be placed on you to guarantee the company’s market position. Especially since it’s currently unlikely that you even know when a breach has occurred ¹⁹.

That means you need to know who controls and who processes your data, where it is, and what protects it. You’ll have to co-operate extensively with your organisation’s IT leadership to discover the true scope of this – as shadow IT and unsanctioned 3rd party app use must be covered and controlled as well.

It’s impossible to keep any data 100% safe online – but now you’ll have the spotlight (and hopefully the budget) to do the job properly. Make sure you have the software, people, and partners you need in place.

We recommend a suite of traditional platforms as discussed above – alongside strong end-user behavioural analytics. Together, these will detect and prevent breaches with a much greater level of success.

Your company’s Data Protection Officer – whether internal or external – will be your biggest ally in protecting the company. And staying on the right side of the law.

You should consult with them to craft your company’s new security architecture and culture in compliance with GDPR.

They’ll also provide an invaluable resource when it comes to training and coaching your end users to follow the correct protocols. (Though this will remain your responsibility.)

We provide independent and impartial cloud security consultancy and implementation services.

Our aim is to make your business secure and cloud confident. To give you the security systems, software, and policies to grow and thrive.

We advise on all aspects of cloud security. Providing insight and recommendations on cloud access, identity management, and traditional web security services.

Because we’re truly independent, we’ll build your custom solution completely from scratch. And we’ll only use the software, tools, and protocols that fit your priorities, to help your business
grow and thrive.