Online Support

What the GDPR Means for Your Business | Storm Internet

What the GDPR Means for Your Business | Storm Internet

The European Union has made good on its promise to put rules around the export of private data of its people and protecting data held within its borders too.  Plus they want to drive down the cost of compliance by having all EU countries use the same set of rules as countries have been writing their own.

New rules issued in April 2016 will affect everyone from the American tech giants Google and Facebook, business in the UK, and advertisers and their data tracking cookies. It’s going to force business to police their vendors and even switch vendors in certain situations because of the risk of non-compliance.

Potentially Devastating Fines

The General Data Protection Regulation (GDPR) rules passed by the European Council and Parliament last week replace the European Data Protection Directive. These rules apply to companies either operating in the EU or processing data on residents of the EU.  (Notice that it does say just citizens.)

The penalty for non-compliance is so high that businesses are going to think twice about who they hire as a hosting company or who they hire as a vendor of any kind.  Mishandling or losing data causes every company in that chain to suffer penalties.  These penalties can be 2% to 5% of turnover or €10,000,000 or €20,000,000, whichever is higher. That is a huge amount and disportionately endangers smaller firms.  So companies are going to need to make sure they work with firms who understand European law.

Ignorance of the law is no excuse, but if you follow some of the rules as opposed to none of them will reduce fines, thus giving some relief to those who are somewhat ignorant of what is right.

There are factors that make the fine go up or down.  For example, a company must report to the authorities, such as the UK ICO, a data loss within 72 hours if it impacts the privacy of their customers.  So if a company does that quickly they would have demonstrated their willingness to work with the regulators, which is one factor that will reduce penalties.  Also a company needs to know what is meant by privacy.

What is Your Responsibility?

It has recently been the EU’s position that people who visit your website need to opt-in to data tracking and give assent to having their data stored.  Of course the American position is that assent is given unless those persons explicitly opt-out.  The new rules are especially strict with regards to minors, requiring parental approval.  Now opt-in is the law. So, some companies are going to have to redesign their web pages to make that explicit.

The bulk of the regulations regard documentation and internal procedures, which need to be written down. So for those of you who have an audit plan at all, or no one to write that, now is the time to give someone that task or hire a consultancy.

Getting Ready Now

Companies do not have a lot of time to prepare for the new regulations, which go in effect in two years. Everyone will have to write a data protection plan and large businesses will have to appoint a Data Protection Officer (DPO).  It’s best to read the lengthy rules to see if your company fits their definition of large. The DPO can be an existing employee but must be able to report to the top executives with no intermediaries.

A company that holds no private data on their customers or employees does not have to comply.  The key definition here is what is private.  Email is private, say the rules.  Again you probably need an expert in the law to make sure you are in compliance.  And you need to review which data fields you store and document the justification of each.  Some companies will then decide to quit gathering information that they do not really need. That is really what the law stipulates.

Who is Responsible?

It’s also necessary to get an accurate definition of who is a data controller and data processor as there are different requirements for each.  The controller (owner) has responsibility for errors committed by the processor (a vendor who touches that).  So it might be the case that you are responsible for data breaches caused by your public cloud or web hosting company due to their negligence.  That too is frightening for business. It is going to take time for the courts and regulators to sort through all of this and define boundaries as companies are singled out for fines and appeal those sanctions.

Basically, a company Is protected against fines if they are doing all that the law requires to protect customer data.  If the government and world’s largest banks can be hacked by the New Syrian Army or China then the EU authorities cannot hold your company responsible for that.  It’s just necessary to demonstrate that you have done due diligence by employing cybersecurity and having written plans and procedures. If the data you store is deemed high risk, you might even have to get government approval for you plans to protect that.

How We Can Help

At Storm Internet we have been following this debate in the EU Parliament for sometime and have educated ourselves on what our customers and we need to do to be in compliance.  Given the potentially ruinous fines, we take this situation seriously as it can literally drive businesses who do not comply into bankruptcy. That’s why we launched GDPR-optimised hosting, which shifts the bulk of your GDPR responsibility to Storm.

We also anticipate that American and other non-EU firms are going to withdraw from the EU hosting and cloud market when their revenue there is small compare to the relative risk.  This means lots of IT companies are going to have to look elsewhere for public clouds, managed security services, and consultancies.

0800 817 4727