Kris Lahiri, Chief Security Officer for Egnyte, in the second of a monthly series, takes an in-depth look at how organisations should be preparing themselves for the upcoming General Data Protection Regulation. A report produced by the Close Brothers, June 16, revealed that only 4% of British small to medium sized companies (SME) understand the impact of the European Commission's upcoming General Data Protection Regulation (GDPR).
A staggering 82% of companies surveyed have either not heard of GDPR or don't understand its importance. The remaining 14% are seeking further advice on how it will impact their workflows.
The good news is you are going to find it easier to adjust to the new rules if you have been complying with the EU Data Protection Directive 1995 since the GDPR draws on the ECs Directive. EU businesses will have to ensure that they are ready to guarantee the updated rights hallowed in the GDPR and prepare for the new ones, such as the right to data portability and, where applicable, the right to be forgotten. In a nutshell, companies operating under the current regime will have to make sure they have their shop in order between now and the beginning of 2018.
On May 25, 2018, new rules concerning the accumulation and usage of data will come into effect. In this post-GDPR world, you'll have to gain unambiguous consent before collecting personal information, you'll need to wipe it after a predetermined period, and in the event of a breach, you'll have to notify the relevant authorities and the appropriate individuals within 72 hours.
What's more, not being based in the EU won't save you. If you market products to any of its member states, and if you handle the data of any one of the bloc's 508 million residents, it doesn't matter if you're based in Brussels, the US, or an Antarctic weather station: you'll be expected to comply.