August 13, 2020
By Indu Peddibhotla – Senior Director, Market & Product Research
The General Data Protection Regulation (GDPR) was primarily drafted into law in the European Union to protect an individual’s personal data and their fundamental right to keep it private. Companies who collect and/or process data involving EU Data Subjects, need to comply with GDPR. In the rest of this blog, we will explain and demystify some of what GDPR means and its impact on businesses. This is by no means an exhaustive summary, nor is it legal advice. We of course recommend that you check with your own advisors on how GDPR applies to your business.
For businesses that fall under GDPR jurisdiction, violations could result in hefty penalties that might severely damage both their bottom line and brand integrity. This is why it is critical to fully understand the requirements of GDPR, and ensure your IT solutions, like your data backup & recovery solutions, are compliant.
So what constitutes Personal Data?
In a nutshell, any information that allows a person to be identified from that data is classified as personal data. These could include a person’s name, location, identification numbers, genetic and biometric data, as well as non-obvious data such as electronic identifiers, including IP addresses used by them. Race, ethnicity, religious affiliations, preferences, and other such information also fall under the GDPR purview.
So what if my business is not GDPR compliant?
In this digital age, customer data can be aggregated and analyzed with relative ease. Unfortunately, this has broadened the scope of cybersecurity threats, and those same customers are increasingly concerned about their personal data being exposed by lapses in a company’s security measures.
- From 2018 to 2020, there have been over 160,921 personal data breaches officially reported by organizations3
- On average, a hacker attack occurs of every 39 seconds2
- A data breach costs a company an average of $3.9M1
Non-compliance can invoke large fines. Some high profile companies that have been given GDPR penalties include (source: gdpreu.org):
- Google was fined $57 million for not providing sufficient transparency to its’ users on privacy related practices when setting up devices.
- Marriott Hotels was fined $123 million for failing to update a legacy system of a hotel chain they bought (Starwood Hotels). The legacy system was compromised and the personal information of approximately 339 million consumers was exposed.
- British Airways was fined $230 million when details of half a million customers were stolen from their booking system due to insufficient technical and organizational measures to ensure information security.
Here’s a brief rundown of key tenets of GDPR and how they’re relevant to your business:
Key GDPR Concepts Explained
Data Subjects: GDPR defines data subjects as individuals about whom data is collected by businesses. They’re the people whose privacy GDPR aims to protect. If your business involves data control or data processing, then you would face specific obligations to protect data subjects and their personal data.
Data Controllers: A data controller is any entity (e.g., business) that collects and processes personal data. The controller decides about the purposes of data processing and about means that shall be used for that processing, e.g., it may decide to outsource certain processing activities to a Data Processor. Under GDPR, data controllers must not only comply with GDPR, but they also need to be able to demonstrate that compliance to third parties, e.g., individuals, authorities, business partners.
Data Processor: A data processor is an entity that processes collected personal data at the instruction of a data controller. The data processor doesn’t have any direct say in how the data is collected or the type of data gathered. When engaging a Data Processor, a Data Controller is bound to use only Data Processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” that will meet the requirements of the applicable legislation.
Data Protection Officer: To ensure GDPR compliance, an organization that handles, analyzes, collects, or otherwise processes personal data must, in specified cases, appoint a data protection officer (DPO). The data protection officer monitors the organization’s compliance with applicable privacy laws, responds to data subject requests, and remains the primary point of contact in all privacy related matters.
GDPR Guiding Principles for Your Business
What does this all mean for your company?
First, you must determine what personal data you process and what is your role in processing, according to the roles as we just laid them out.
Second, you must ensure your collecting and processing data methods are lawful. In particular, you need to make sure you have a valid legal basis for collecting and processing data. To do so, it’s extremely helpful to appoint a data protection officer who can track and monitor GDPR compliance for your organization.
Third, you must ensure your data is secured and that security measures you have implemented provide an appropriate level of security. That level shall be determined on a case by case basis.
Fourth, be prepared to handle data subject requests concerning what/where/how their data is collected, and swiftly remove their data from your system if requested.
Finally, make sure you are able to react in line with GDPR requirements to any data breach and limit its’ potential negative impact.
Metallic™ Backup & Recovery is engineered to offer industry-leading data protection in support of your GDPR compliance efforts. Want to learn more? Contact us today.
The information you may find on our site does not constitute legal advice and is provided without any warranty, express or implied, including as to their legal effect and completeness.