By Beth Watts
Sep 13, 2017
On April 14, 2016 the European Union Parliament passed the General Data Protection Regulation (GDPR) after four years of debate. The GDPR will be enforced beginning as soon as May 25, 2018, at which time those organizations in non-compliance will face heavy fines. Designed to replace the Data Protection Directive 95/46/EC, the GDPR offers objectives to harmonize privacy laws across Europe, protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. Even if your business is not located in the EU, it’s likely that if you do business with a country within the EU, the regulation will affect you and your business.
If your business offers goods or services to, or monitor the behavior of, EU data subjects, then yes. It applies to all companies processing and holding the personal data subjects residing in the European Union, regardless of the company’s location.
Organizations can be fined up to 4% annual global turnover for breaching GDPR or £20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning “clouds” will not be exempt from GDPR enforcement.
One of the biggest changes to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Before GDPR, territorial applicability of the directive was pretty ambiguous and referred to data process “in context of an establishment”. This caused a lot of confusion and a number of court cases. GDPR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens and the monitoring of behavior that takes places within the EU.
In addition, penalties have increased, as well as the conditions for consent. Companies will no longer be able to use illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Furthermore, GDPR has introduced data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a “commonly use and machine readable format” and have the right the transmit the data to another controller. To read up on GDPR key changes, feel free to check it out on the EUGDPR website.
How can Jungle Disk help prepare me? Jungle Disk can help your business prepare on a few levels. You have probably already guessed that Jungle Disk backups can help provide encryption for personal data keeping information safe using military grade (AES-256) encryption and meeting regulation requirements. Specifically in terms of data portability, data backups are helpful, but email archiving is something less obvious but can be most important. If you do any kind of business via email, email archiving is critical. At any time, if a customer wants a PST of all email correspondence regarding their account and personal data, would your company easily be able to provide that? Are you confident that the email threads you are provided were not manipulated in any way by an admin or end users to the extent that it would hold up in litigation? If the answers here are “no”, then, to be prepared, you should likely purchase archiving from either Jungle Disk or a vendor offering WORM (write-once/read-many) technology behind their service.
Lastly, does your current network have a policy in place that notifies you of any breaches or attempted breaches? If not, then you certainly will want to take a look at Network Threat Protection, which is a cloud-enabled firewall that will protect your business from all several advanced network threats, and alert you of any active attempts. It’s the best bang for your buck, if you are looking to protect your data at the front-end to avoid potential data breaches.
Ultimately, compliance with GDPR is a requirement, not a choice, come April 2017. The GDPR requires that business owners become aware and proactive regarding specific data provisions. Be ahead of the game now to ensure your company is ready for the enforcement of GDPR and allow Jungle Disk to help you along the way.