Do You Really Have to Worry About GDPR Penalties?
Most people have noticed the increase in cookie notices at the bottom of websites over the past year. These little disclaimers may be a nuisance to visitors, but they are necessary for businesses to avoid substantial fines under the European General Data Protection Regulation, or GDPR.
The GDPR was developed back in 2016 to protect the data of individual citizens in the European Union. Businesses that collect personal data, including cookies, must put technical and organizational measures in place to protect that data. These requirements became enforceable in May of 2018.
GDPR compliance requires a lot more than a small cookie notice at the bottom of your website. Let’s take a closer look at these GDPR requirements, how enforcement has stepped up, and how you can protect your business from fines and penalties.
What is GDPR?
The General Data Protection Regulation, or GDPR, requires all companies collecting data from EU citizens to comply with strict new rules protecting that data. While there isn’t a specific set of rules, the regulations require companies to provide a "reasonable" level of data protection and inform EU citizens of their rights under GDPR.
GDPR covers many different data types:
- Identifying data
- Website or device data
- Health and genetic data
- Biometric data
- Political opinions
- Sexual orientation
- Race or ethnicity data
These regulations apply to any company that processes personal information about EU citizens — even if they don’t have a presence in an EU member country. If a data breach occurs, the regulations place equal liability on data controllers (e.g. data owners) and data processors (e.g. organizations that help manage the data).
You could be at risk of violating the GDPR regulations if:
- You use data processors or provide data to other partners that aren’t compliant with GDPR regulations.
- You don’t anonymize and secure personal data, such as customer data, payment data, analytics data, etc.
- You don’t notify EU citizens of their rights under the GDPR.
The penalties and fines for noncompliance with GDPR range from a simple warning to a fine of €20 million or four percent of annual turnover for a second offense. Rather than strictly assessing fines, the regulators have the latitude to consider a company’s intentions and attitudes in response to a data breach or revelations of inadequate data security.
The broad nature of the General Data Protection Regulation means that most businesses could be prosecuted for violations. While most enforcement has focused on businesses that have been maliciously exploiting personal data, rather than companies inadvertently making mistakes, there’s no guarantee that enforcement actions won’t expand.
Download our free GDPR Compliance Checklist to ensure that your business is meeting the basic requirements.
Some of the most prominent enforcement actions include:
- Facebook and Google were sued for their use of forced consent shortly after the law took effect on May 25, 2018.
- Portuguese authorities issued a €400,000 fine to a hospital for failing to apply proper access controls over patient data.
- U.K. regulators demanded that a Canadian organization cease processing data from EU citizens for political purposes.
- Germany fined a small app developer for failing to follow basic security practices for passwords.
Early data suggests that large companies have experienced the brunt of the fines, but small companies aren’t immune to receiving penalties or fines. While most fines have focused on data breaches and willful ignorance thus far, experts believe that fines are likely to increase in frequency and severity for poor data management in the future.
How to Protect Yourself
The best way to comply with GDPR is to embrace the spirit of the rule.
The first step is appointing a chief data officer or assigning someone that’s willing to take ownership over data protection. In addition to drafting data protection guidelines, this person should be responsible for creating a culture of data security throughout the business. These efforts not only help comply with GDPR, but also industry regulation, such as HIPAA.
Don’t forget to download our free GDPR Compliance Checklist to ensure that your business is meeting the basic requirements.
Companies should also invest in technology solutions designed to improve data security and enforce best practices. For instance, employee devices holding sensitive customer data should be encrypted with secure data backup. If the device is stolen, the information remains safe and can be immediately restored from encrypted cloud storage.
Jungle Disk provides a comprehensive cybersecurity suite that’s designed for small businesses with two to 250 employees. In addition to secure cloud storage, the cybersecurity suite includes active network protection, VPN access for employees, password management technology and other solutions designed to harden security and comply with security best practices.
The Bottom Line
The General Data Protection Regulation may seem intimidating for small businesses. While enforcement efforts have focused on deliberate issues so far, small businesses could be vulnerable in the future for poor data management that may be accidental and unintentional. It’s important to protect your business against these penalties and fines with the right training, personnel and technology.
Sign up for Jungle Disk today to secure your network and data without breaking the bank.