What is GDPR? How Does it Impact My Business?
The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive, and goes into force on May 25, 2018. It also supersedes the 1998 UK Data Protection Act.
There are many essential items in the regulation, including increased fines, breach notifications, opt-in consent, responsibility for data transfer outside the EU. As a result, the impact to businesses is huge and will permanently change the way customer data is collected, stored, and used.
Egnyte is both a data controller and data processor, and GDPR compliant across all of our services. We’re also committed to helping customers achieve GDPR compliance by placing industry-leading content collaboration & data governance at the core of their strategy. Our SaaS solution shows exactly where data resides across a network, identifies personal/private and sensitive data, and reports that information quickly and efficiently as required. To learn more about GDPR and how to prepare for it, check out the Egnyte GDPR eBook.
Who must comply with GDPR and what’s the downside of not?
GDPR includes a number of significant articles, and increased territorial scope ranks right at the top. In general, this concept means that GDPR applies to all organisations holding and processing EU resident’s personal data, regardless of geographic location.
Many organisations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organisation offers goods or services to, or monitors the behavior of EU data subjects, it must meet GDPR compliance requirements.
Fines for noncompliance are large. They can be as high as €20 million or 4% of a company’s total global revenue, whichever is larger. This is the maximum fine that can be imposed for the most serious violations, e.g. not having sufficient customer consent to process data or violating core Privacy by Design concepts.
However, there is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors.
Egnyte helps businesses comply with GDPR and avoid fines by proactively protecting files. Administrators with our solution know what’s happening with their data in real time. They have complete control regardless of whether data is held in the cloud or on premises and maintain visibility over it all with our built-in audit capabilities. They can also take immediate action to secure and protect files by receiving instant alerts when one is accessed without the correct authorization.
For more actionable insights from legal and IT experts on how to achieve GDPR compliance, watch our on-demand webinar.
If my business is located outside of the EU, how should I prepare for GDPR?
There is no difference in the way businesses located outside the EU should prepare for GDPR versus businesses located within the EU. All businesses need to have a clear understanding of where customer data is residing (in the cloud and on premises). They must know what, if any, personally identifiable information (PII) is contained in these files, and be able to present them quickly and efficiently if requested by a data subject.
Egnyte works across geographies to help companies on their journey to GDPR compliance. This includes businesses located both within and outside the EU, as well as those headquartered outside the EU but have an EU subsidiary.
Our solution addresses the regulatory needs of global businesses by providing complete visibility and protection over all your customer data in all locations. For EU countries that have strict data location requirements, we support data residency by leveraging our data centre in the Europe.
Explore here for more answers to how Egnyte can help to achieve GDPR compliance.
How Will GDPR reshape data protection strategy?
To meet GDPR standards, organisations must revise current practices and change the way they collect, use, and transfer personal data. Personal data, includes any information that could identify a person directly or indirectly, e.g. name, birth date, IP address, national ID number, etc.
Given the broad nature of GDPR, businesses operating in the EU will need to revise internal strategies to meet the new law. The regulation brings changes in privacy notices, consent notifications, breach notifications and more, essentially changing the ownership of private data from the business to the individual. Companies must be able to notify individuals of how long their data will be stored, if it will be moved, and allow individuals to access and delete the data under certain conditions.
Content collaboration and governance are part of a complete data protection strategy and the foundation for GDPR compliance. Consider the following when reshaping an existing data protection strategy; or building a new one.
Determine exactly what type of personally identifiable data is on file, how sensitive it is, and where it’s held.
Construct a detailed roadmap on how to address any gaps in the organisation while handling sensitive data. Review and update existing privacy notices and communications policies.
Look into hiring a Data Protection Officer (DPO) who is fluent in GDPR guidelines and able to implement them across all departments. This should have a deep knowledge of company data – what is collected, what and where it is stored, what is moved, who has access to it, etc. The role requires knowledge of security controls and being able to handle a breach.
A DPO must be appointed if the business falls into one of the following categories:
Otherwise it is not a requirement.
It’s important to have full visibility into the way data is handled. One of the easiest ways to maintain visibility is to keep an open line of communication with everyone involved, reviewing, and updating privacy policies on a regular basis.
After implementing the key processes and procedures, it’s important to stress test them on a regular basis. This will mitigate privacy risk by analysing how your organisation will use personal information and technology.
Read 8 Things to do Before May 2018 blog for more information on how Egnyte helps build and implement a data protection strategy.
How does GDPR affect data breach policies?
Prior to GDPR, EU countries had the ability to adopt different data breach notification laws. This created more work when companies suffered data breaches, as they had to research and ensure compliance with each countries. With GDPR, the requirement is standardized across all EU countries.
Data breaches which pose a risk to individuals must be reported by controllers to the supervisory authorities within 72 hours, and if a processor discovers a data breach, they must notify controllers immediately. Supervisory authorities do understand that fully investigating a breach within a 72 hour timeframe will often be impossible so they allow information to be provided in phases. If the breach is sufficiently serious and public notification is required, the organization responsible must do so immediately or without undue delay.
Egnyte lets businesses keep an eye on their unstructured data. By alerting administrators in real-time to any glaring vulnerability, breaches can be proactively addressed or at least found quickly. Which gets reports to Supervisory Authorities in a timely manner.
Read The 4 Phases of GDPR Preparation for more about dealing with breaches.
What are the steps to achieve GDPR compliance?
With the deadline looming, firms are struggling to find their best path to GDPR compliance. Many have no idea where to start, often dealing with dozens of data servers, spread over multiple sites - not to mention files stored in the cloud. But when fines for non-compliance can be up to €20M, or 4% of a company’s worldwide revenue, action must be taken.
Egnyte offers a simple solution to a large part of the problem. When GDPR was announced, we realized that without knowing it we’d been preparing for it all along. We always knew organisations would need a fast, simple, scalable, enterprise-grade, data solution. We just never thought it would be needed on a deadline.
Here are 8 things you need to do to start on your journey to GDPR compliance.
Egnyte helps you to become GDPR compliance by:
Simply put, we remove the complexity from GDPR compliance with an easy to deploy, cost-effective, 100% SaaS solution that supports compliance initiatives in all 28 EU countries.
Let us help you to become GDPR compliant by scheduling a live demo with an Egnyte representative.