Europe has blazed the trail for improved protection of global consumer data, regardless of the owner’s nationality—an effort now known as the GDPR. While it’s true the internet has no real national boundaries and is agnostic of regional policies, companies affected by the new mandate are realizing they must map out some solutions for the future. The GDPR, also known General Data Protection Regulation, took effect in May of this year and is working to promote the need for corporate vigilance and effective cybersecurity measures.
The minimum penalty for companies not in compliance with these regulations starts at €10 million or two percent of their global income, while the heavier penalty comes in at €20 million or four percent of the company’s global income, whichever is higher. Negligent businesses operating in the EU will now face these financial penalties as part of a new clause in the regional data protection law. When it comes to responsibility, DPR has made no distinction between a multinational company and a Small, Micro, and Medium-sized business (SME) business, as they are all expected to keep private data secure.
An SME is defined as:
|Company Category||Staff Headcount||Turnover or Balance Sheet Total|
|Medium Size||Less Than 250||Less Than Euro 50M|
|Small||Less Than 50||Less Than Euro 10M|
|Micro||Less Than 10||Less Than Euro 2M|
Compared to a multinational company, SMEs operate locally in a particular country, with customers located in the same geographical region. Compared to multinational companies who need to cater to many non-European customers, SMEs have an easier Terms of Service policy. That said, these multinational enterprises have recently adapted a single Terms of Service for everyone, regardless of their location.
How GDPR changes a long-time perception:
The regional law gives companies just 72-hours to report a data breach, best defined as a loss of any public or private user-identifiable information. This includes leaks about customer data like physical addresses, credit card information, banking details, email addresses, and mobile numbers—any data that can track down a customer in real life. This law does not impose punishments and fines, however, if the leak only included user login credentials. Many people are still debating if that point should also be covered since unauthorized access to an account can reveal even more personally-identifiable data. It’s worth noting, the GDPR is not a money-making scheme for the EU, but rather a regional law that compels businesses and other organizations to store all customer data with great care.
GDPR forces firms through a legal contract to be accountable for their customers’ data. Not all companies have a transparent Terms of Service when it comes to data privacy and security. Firms are mandated to acquire or develop systems that will better handle user data with utmost care. They are directed to save it in a secure storage device and make it always accessible for the user untouched by other parties.
Firms are obliged by the law as caretaker of customer information. They don’t own it, but it is only held by them under the trust and confidence of the user. Data stored in the storage device of a firm needs to remain unchanged until the user or her appointed representative make the changes themselves. Companies need to be very careful and increase their infrastructure security, as a virus infection like a ransomware issue can render the data invalidated or unreadable.
GDPR Shifted Corporate Responsibility Above The Current Definition:
Usually, the IT security aspects of a firm rest on the shoulders of a CTO, CIO, IT Director or a personnel in the company that makes technical decisions. This has been leveled up by GDPR. Now the responsibility belongs to the highest level of authority in an organization, the board-of-directors. GDPR devised two levels of fines:
One that requires many decision-makers collectively result in a data breach or loss of customer data.
Another one that falls under the jurisdiction of a DPO or the Data Protection Officer. A DPO is a new corporate position tasked to ensure data security and privacy across the whole organization. A single-point-of-contact where all communications are forwarded to.