Facebook and MyFitnessPal (Under Armour) have recently lost personal information on hundreds of millions of people to criminal perpetrators. Typically the perpetrator sells this information to other criminals for anywhere from 5 cent to 50 cent per user. These other criminals use the information in attempts to access other accounts or user machines, run intricate scams, phishing and e-mail attacks and even try to steal peoples identity - with all the consequences this may have. I bet nobody thought of that when they started sharing information on Facebook or let MyFitnessPal track their movements.
Anything from dialogue, to pictures, to where you go, what trains/bus you take at what time, who your friends are, your workplace, or even what you eat, together with user names and passwords are now in the hands of criminals.
By now, most people have heard of GDPR and how it is designed to protect individuals and their rights. This means that organizations must take precautionary actions to ensure they comply with the rules.
A series of important new obligations and rights affecting those processing personal data will be enforced come may 25th, but many have yet to understand the complexity of the changes that will come. So what is changing, and what is the impact? Let us take a closer look!
Wider scope - the new rules will apply to every organisation processing personal data related to EU citizens, even if they are not based in the EU themselves. Simply put; if you are employing people, have customers and either of these groups are Europeans, you fall under the new General Data Protection Regulation
Greater accountability - organisations will be required to prove that they are complying with the new rules through improved procedures and documentation
Enhanced consent requirements - consents will be validly obtained through stricter requirements than before
Rights for individuals - new rights include the right to be forgotten, the right to data portability and the right to object to profiling - i.e for direct marketing purposes
Processors - unlike earlier rules, data processors will for the first time have direct obligations under data protection law
Notification of data breaches - there will be mandatory notification to supervisory authorities and affected individuals in specified situations
Significantly higher fines - these can potentially be up to 4% of annual worldwide turnover or €20 million, whichever is greater. On top of that, you may be sued by groups or individuals who are affected by a data breach.
Facebook and Under Armour's breach is surly coming with consequences. However, the fines from regulatory boards may be small compared to the drop in value of their stock price, ruined reputations and costs of dealing with the issues after the fact.
So what can you do to ensure you do not face the same consequences?
Here are a few first steps you should consider as we are less than 90 days away from GDPR being effective ;
1. Know your limits - Remember that GDPR deals with people, processes and technology and is multi-facetted. If you do not have the competence or knowledge, ensure you hire or partner up with someone that can help your organization.
2. Identify your gaps - You need to know where your issues are in order to address them properly.
3. Write process documents - You need to have formal process documents that explains how you consider privacy in your processes. You must document that you comply with GDPR, and having process descriptions is a step on that way
4. Train the organization - Train the organization on GDPR and privacy. You are not stronger than the weakest link
5. Protect your data sufficiently.
6. Make sure you can execute - Requests from individuals or audit from regulatory officials are one thing, but you also need to have a contingency plan to ensure you can respond if something goes wrong.
GDPR is much more complicated than this, but it is a start. You can e-mail us at firstname.lastname@example.org to get help for your journey towards compliance.