As soon as the web has entered our everyday life, it has dramatically changed the way we communicate and how we handle everyday tasks and, as a result, information has become the most valuable asset.
People send thousands of emails every second, share personal and confidential documents, pay bills, and purchase goods by entering their personal details online. Have you ever wondered how much PII (personally identifiable information) data is shared online and what happens to that information?
Companies assure that they collect this type of information in order to serve their customers in the best possible way. But, is that what they really use the data for? There is no absolute answer to this question, and it has been asked over the last years and is now being answered by the EU.
The answer is provided in the updated GDPR (General Data Protection Policy) which will come into force as of 25 May 2018 across the entire EU. GDPR will have a significant impact on organizational data protection regimes around the world and will change the way businesses and public sector organizations can handle the information of their customers. As for the outsourcing business, software development vendors among the world should make changes in information security even more seriously and implement consistent measures to comply with GDPR and other security regulations.
As soon as it is important to be aware of GDPR key changes in order to stay compliant, here is a short summary of the main key points:
- The geography of the law has expanded – from now on, it applies to all companies that process PII data of people residing in the EU, regardless of the company’s location. Even though the GDPR does recognize that smaller businesses require different treatment compared to larger enterprises (organizations with fewer than 250 employees will not be bound by GDPR that strictly), it is still important to adopt all procedures accordingly and to stay compliant.
- Companies must provide their customers with explicit details about the ultimate use purpose of the information while collecting it.
- There are new regulations for obtaining consent for personal data collecting. Both consent and explicit consent now require clear affirmative action.
- The age barrier for information services and personal data processing is rising from 13 to 16 (apart from other exceptional cases provided for by local law).
- Companies must delete data that they are not using for its original purpose (monitoring procedures should be established and followed).
- People can revoke their consent to data processing at any time, and that must be an easy and clear process for them(this is a very tricky change, as from now on companies should establish procedures for handling such cases).
- Companies have 72 hours to notify about data breaches to regulators unless the breach is unlikely to result in a risk to data subjects. But, even before you call the data protection authority, you should inform the people affected by the data breach.
- According to the updated GDPR from now on, there will be a single national office for the complaints.
- Large data controllers must appoint a Data Protection Officer.
- If the company does not comply with the GDPR, it could face fines of up to €20,000,000 or 4% of their total global annual turnover for the preceding financial year (which is quite a big amount of money).
What does it mean for IT service providers?
Key points which should be considered by software developers who are working for EU/UK clients:
- Live servers must be in EU / UK. Access to live servers must be restricted.
- Staging environment must be located in EU / UK.
- All PII data should be encrypted before or during copying it from production DB to the staging server (all PII data should be anonymized).
- Сlear guidelines should be settled to ensure the company is able to respond to data breaches quickly (within 72-hour timeframe).
- Regular monitoring, inspection, and judgment processing procedures in order to minimize data storage, data processing, and protective measures should be established.
- Procedures for handling PII data have to be established
From the first sight, it seems like GDPR creates a lot of challenges and pain for businesses, but it is important to understand that also creates opportunities.
Companies who are able to show their value and expertise in an individual’s privacy, who are absolutely transparent about how the data is used, who design and implement new and improved ways of managing customer data throughout its life cycle, will build deeper trust and retain more loyal customers.
To achieve GDPR compliance, IT service vendors must introduce new important steps and ensure that personal data is protected against abuse and theft. They should conduct audits and invest in solutions for data loss prevention to adhere to all guidelines.
So, there is no much time left before 25th of May and that is why now it is the most suitable time to understand what your company needs to do in order to become compliant to stay competitive and save money.