First, what is GDPR and am I affected by the new compliance regulations? GDPR is the new General Data Protection Regulation that was adopted by the European Union (EU) in April 2016 and will be enforceable starting May 2018. The new GDPR compliance applies to everyone who provides goods and/or services to citizens in the EU, regardless of whether or not there is a physical location in the EU. Here are a few examples of what companies and organizations will be affected:
- You have a boutique clothing company based out of New York City, New York that also has an online website. Residents of the EU have purchased items from your website.
- You have an online consulting company for Search Engine Optimization based out of your home in Orlando, Florida. You have had at least one customer whom you have helped that resides in the EU.
- You have a manufacturing company with multiple offices throughout the entire world, one of which is located in the EU.
- You have a company or organization that provides goods and/or services to residents of the EU and your only location is in the EU.
- You have a photography website where members create a personal profile about themselves with a username and password in order to share photographs with others. At least one of your members of this free website is a resident of the EU.
The ultimate goal of GDPR compliance is to keep sensitive personal information protected for residents of the EU. Let’s clarify what constitutes as personal data. Personal data can be anything, such as a name, email address, physical address, medical information, banking details, photographs, computer IP address, and anything other pieces of information that can identify a resident of the EU.
Power has shifted to the residents of the EU by now being able to file lawsuits against a company who breaches their personal data. A company has 72 hours from the time of the breach to notify any affected individuals. Penalties for not being in compliance with GDPR can be either €20 Million or 4% of global annual turnover – whichever is greater. This is the most important change in data privacy regulations in over 20 years. This is not an option, but a requirement. The EU hopes that the rest of the world will follow in their guidance.
At nFront Security, we applaud the new regulations that the EU has passed. This is a very wise choice for the EU to require all companies to protect their citizen’s personal information to the highest standards. By being GDPR compliant, your customers will be able to have trust and confidence in your company that their personal data is being protected. In a digitalized economy, this is very important. There are many topics in the GDPR compliance article related to breach notifications, consent, data portability, and privacy by design. However, one of the most important trends in all of the requirements is protection from data breaches. Most companies know that the threat of a data breach is very prevalent in today’s time. If there are not certain security measures in place, the question isn’t if they will be hacked, but when.
One final note, we encourage companies to reevaluate their password policies. Having a strong password policy is your first line of defense to protecting your company’s most treasured assets… your customers. Many companies are Windows-based and the default password settings for Windows will not keep your company secure with the ability to use Password1 as a password. The result of a data breach could cause your company to pay a minimum of €20 Million if you are regulated by GDPR compliance. Do your company a favor and implement a Windows Password Filter to ensure that no weak password will be used on your company’s network. For more information, please click here.