5 things you need to know about GDPR
Summer is nearly gone and by the time it comes back, the new General Data Protection Regulation (GDPR) will already be in force. On 25th May 2018, if you are not ready, you may be left with a hefty fine to pay, of up to 4% of your company’s turnover.
But wait a second: GDPR is an EU regulation, so why should Swiss companies care? Keep reading and we will tell you…
1) First of all, what is GDPR?
The General Data Protection Regulation (GDPR) helps EU citizens gain more control over their personal data. For example, among other things, it gives users the right to have their data forgotten, or to ask a company for access to all the personal data they hold on them.
Complying with such requests may not be that simple. Companies need to know what customer data they are collecting, where it sits and who has access to it. To be able to comply with GDPR, companies may need to make fundamental changes to the way they handle customer data and how they manage risk.
On top of that, the new regulation also states that companies need to disclose data breaches within 72 hours. Fines can go up to 4% of your annual turnover or 20 million Euros, whichever is higher.
Companies were given a two-year notice to get ready, but where’s time gone? There’s now less than a year left.
Truth be told, some countries already have laws that are very similar to GDPR, but with one crucial difference: the scary fines! The penalties for non-compliance are very high with GDPR, enough to scare even the big players.
Also, GDPR makes it much less confusing to know what rules to follow in which country. Besides, it’s not about which country you are in, but where the customer is. Which leads us to #2.
2) I’m Swiss. I’m not part of the EU. Do I still have to comply?
Even though GDPR is an EU regulation, it is actually pretty broad. It affects any organisation that is actively targeting EU customers or users, regardless of where in the world they are based. It’s not only for those companies that are physically based in the EU.
If you are a small shop in the Alps selling ski equipment to locals and so happens to have a couple of EU customers, then GDPR might not apply. But if EU customers make a big chunk of your revenue and you are actively seeking them, then you have to. But how can regulators tell the difference?
There are many tell-tale signs. For example, do you list your product price in Euros? Do you have a .de, .fr or any other .eu domain? Do you promote EU case studies in your website? Do you have sales offices, operation centres or branches in EU countries? If you said ‘yes’ to any of these common examples, then you probably can’t escape GDPR.
Your organisation is probably dealing with EU citizen data, whether you know it or not. Just have a look at what the regulators define as ‘personal data’. It includes not only bank details and email addresses but also IP addresses.
The good news is that complying with the General Data Protection Regulation may look like a big headache right now but in the great scheme of things, it will influence some positive change across the EU. It will ensure that companies do more to protect their customers’ data.
3) How do I become compliant?
First of all, get to grips with the regulation and how it impacts your business. Learn more about what type of customer data you store and how you manage it, as well as what processes you already have in place to protect it. Then start mapping the gaps between what you have and where you need to be to become compliant.
From there, you can build a roadmap and prioritise the crucial changes you need to make before May 2018. Make sure you get other colleagues on board and make them well aware of the impact on the business if you don’t comply. Some of the changes may take time, so don’t leave it until next year. If you don’t know where to start, Cisco Privacy and Data Protection Services can help you understand what you need to do to comply with GDPR.
4) Can’t I just buy a GDPR-compliant product?
Not really. GDPR is about security processes and managing risk, more than anything else. Technology plays a part, but there isn’t a product that will solve all your problems. The technology won’t work unless everything works together.
Many people still think of cybersecurity as being a technology problem – with a technology answer. However, the bad guys have got smarter over time. Technology on its own cannot stop them. They will look for any weakness to find their way in.
Take a look at our recently released Midyear Cybersecurity Report and you will see how far cybercriminals have come. They changed the rules of the game. Maybe 15 years ago it was possible to just buy a firewall and be 99% protected. That certainly isn’t the case anymore. Companies have to look at things differently. It’s not about stopping every threat, it’s about managing and minimising risk.
It’s also about recognising how much responsibility you carry as a company when you collect and transfer other people’s data. That’s why the new regulation wants every company to have someone responsible for compliance, a data protection officer who has the autonomy to make decisions in the best interest of the customers.
5) What happens if I suffer a data breach?
Currently in some EU countries the law doesn’t force companies to disclose breaches. GDPR will change that. Not only it becomes mandatory to notify the breach, but also it needs to happen within 72 hours.
If organisations are not set up with the right processes or technology, they can’t always tell how bad the breach was or what data was taken. So with the new regulation, companies will need to have better visibility and control over their networks. And that’s a good thing. Data breaches cost much more than what it takes to repair the systems. Companies are losing a lot of money.
If that, in itself, isn’t enough incentive to change, then the regulation will give companies a little push in the right direction, and also protect the consumers’ interests.
Hackers spend, on average, 100-200 days within a corporate network before they are detected. At Cisco, we brought that down to 3.5 hours. But being able to detect threats faster is one part of the equation. Companies also need to respond faster, and for that, they need to see the extent of the damage and how to fix it. This is where technology such as Stealthwatch can help.
We know it’s a lot to do and not a lot of time left. But if it helps, remember that the General Data Protection Regulation will ultimately benefit everyone. It’s not only another regulation, it will help companies get in the right path and it will be hugely beneficial for customers.