It’s been one year since the initial flurry of GDPR-related activities, and data regulators across the EU have levied fines on companies large (Google, British Airways) and small (random business in Vienna whose CCTV captured too much of the sidewalk).
From illegally turning on users’ microphones through an app to acquiring a competitor who had a data breach, businesses found themselves in a fine, fine world for not taking the right steps to securing their data.
Here’s a quick recap of what’s been happened in the GDPR world and we offer 12 learnings you can implement as a rough GDPR checklist.
What is GDPR?
GDPR meaning: It stands for General Data Protection Regulation, and it was created to give EU citizens more control over their personal data (as it should’ve been from the get go!).
Under GDPR, companies must ensure that personally identifiable info (PII) data is collected legally (read: with consent) and that the data is properly managed and safeguarded. Otherwise, companies will be hit with steep fines and negative PR (which probably costs more than the fines).
Is GDPR Enforceable?
Yes, GDPR is being actively enforced. Companies ranging from Google, who was fined €50 million for collecting personal user data without consent, to a Spanish football league being hit with a €250,000 fine for using its app to illegally turn on users’ microphones to “catch illegal soccer streams” at various pubs, GDPR has been meting out punishments quickly, with no sign of slowing down.
And for those with morbid curiosity, GDPR penalizes companies based on their annual revenue, with security and privacy violations warranting fines of up to 2% and 4% of the companies’ revenue.
What Does GDPR Mean for My Company?
Your company should be fine if you’ve implemented the proper controls and are transparent about how you document compliance.
Note that GDPR applies to you if you process the personal data of anyone living in the EU, regardless of where your company is located. And if you have partners and or customers in Europe, then you’ll need to think about compliance.
And speaking of compliance, here are 12 learnings from the past 12 months that GDPR has been in effect:
GPDR Checklist: 12 Essential Actions to Ensure You’re GDPR-Compliant
- Beef up consent and disclosures: EU citizens take their privacy and security seriously (especially compared to US citizens), and will report data violations.
- Update user notices: Privacy is no longer a commercial transaction codified in Terms of Service agreements.
- Apply transparency, documentation, and evidentiary compliance in key operations.
- Ensure your marketing and sales team is actually obtaining people’s info with consent.
- Audit and document lawful and legitimate access to user data. And always, always, always document rationale.
- Implement annual security audits to verify compliance.
- Disclose a breach ASAP: Inform your customers and relevant authorities within 72 hours. As lawyers are wont to say, you want to show that you’re mitigating damages as quickly as possible.
- If you aren’t already, use a pen testing service (like Cobalt) to identify unknown vulnerabilities.
- Leverage real-time monitoring tools like Splunk and Sentry to track app performance and activity
- Ensure security awareness training is actually implemented (and not just have staff “interact” with a program that features circa-1998 UX with “gotcha” quiz questions and a timer)
- Conduct vendor risk assessments and audits for all of your vendors and business partners (an automated vendor risk management tool can help with tracking and managing vendors’ security postures)
- Encrypt everything. ‘nuff said.