A Simple Guide to GDPR: What is GDPR and What Does it Mean for Your Business?
Posted - 20 October, 2017
GDPR will be the most important change in data privacy regulation in the past 20 years – but how can Engineering, Defence & Cyber Security businesses prepare for it?
Many companies across industries are concerned about the effects of GDPR on business, however the Engineering & Defence sectors will experience even greater levels of disruption and change. Before Engineering & Defence companies can begin to tackle the requirements set out by the new legislation, what is GDPR and what does it really mean for your business?
What is GDPR?
GDPR stands for the EU General Data Protection Regulation: a law designed to protect the data privacy of all EU citizens and to reshape the way EU organisations approach data privacy. After being approved by the EU Parliament in 2016, the regulations will be directly applied to all European Union member states on 25th May 2018.
The regulations provide updates to the original 1995 Data Protection Directive. Whereas the directive was a guideline for businesses and their data storage and processing, the General Data Protection Regulation is legally binding.
The updates include the announcement that companies can no longer get away with unclear or illegible terms and conditions, that data protection now has an increased global scope – compliance is required of businesses that are established in an EU member country, offer services to EU citizens or hold personal data of EU citizens, regardless of where the data processing takes place – and the introduction of financial penalties for non-compliance.
Simply, GDPR means that companies cannot hold and/or utilise the data of individuals without their explicit, proven consent for this data to be used for the specific purpose in which the business intends to use it.
What does GDPR Mean for Businesses?
From 25th May 2018, all businesses based in EU member countries are legally required to abide by all regulations set out by GDPR. To remain compliant, businesses across industries must review their data storage and usage and ensure stringent internal record-keeping procedures.
Businesses found to be in breach of GDPR can be fined a maximum of 4% of annual global turnover or €20 Million (whichever sum is greater). Companies can be fined for serious infringements including:
Failing to obtain sufficient customer consent to process data
Not having their records in order (as per Article 28)
Failing to notify the supervising authority and relevant individual about a data breach
Not conducting an impact assessment.
Many industries and businesses must take additional actions to remain compliant. According to GDPR, organisations whose core activity consists of ‘monitoring individuals regularly and systematically on a large scale’ or ‘processing on a large scale special categories of personal data or personal data relating to criminal convictions and offences’ must appoint a dedicated Data Protection Officer.
The purpose of the Data Protection Officer is to oversee data protection strategy and implementation to ensure compliance with GDPR requirements. The DPO is responsible for educating and training employees on data processing and compliance requirements and conducting audits, and will report directly to the highest level of management and to the relevant Data Protection Authority. The DPO may be a staff member or external service provider but must have extensive knowledge on data protection law and practices.
How Will GDPR Affect Cyber Security, Engineering & Defence?
GDPR will present businesses across Europe with a challenge: customers and stakeholders will expect their suppliers to provide foolproof compliance in addition to watertight security measures. This will be particularly applicable to Cyber Security providers, who will need to evidence how and where customer data is stored in their systems and the mechanisms that could potentially expose that data to unauthorised or unauthenticated users. Although naturally expected to remain compliant with all government legislation, Cyber Security companies will be under additional scrutiny to store and manage their data effectively.
With even online identifiers such as IP addresses falling under the regulations, the new legislation could affect Engineering and Cyber Security customer relationships. Data controllers will now be liable for the actions of the data processors they choose – if a business’ Engineering or Cyber Security provider is not compliant with GDPR, the customer business can also be fined. Engineering and Cyber Security companies may be under further scrutiny from their customers and consider reassessing their processes to retain competitive advantage in a wary customer market. A comprehensive contract detailing the governance of the controller-processor relationship is recommended.
GDPR will also affect the wider Defence sector due to the unprecedented level of industry growth expected over the next 12 months. After years of declining revenues, Defence is expected to grow at 3.2 percent in 2017 to meet increasing concerns about global security threats. With growth at such a fast pace, the inevitable changes to ways of working will have significant effects on business relationships with customers, partners and key stakeholders. Organisations with specific GDPR project plans will have the competitive advantage as well as remaining legally compliant.
How Can Businesses Prepare for GDPR?
All organisations will need to update policies, processes and contracts to ensure compliance with the regulations across all areas of business.
Knowledge is the best tool to equip businesses for complying with GDPR. As of yet, much of the legislation concerning GDPR is unspecific as the EU Parliament draws up the finer details before the May 2018 deadline. The Information Commissioner’s Office will be publishing a comprehensive Guide to GDPR in the coming months.
Check out our Instagram feed