Heads Up! Coming soon to a country near you: data protection regulation with TEETH.
September 12, 2018
In May 2018, the European Union launched the General Data Protection Regulation (GDPR): a new directive with the ability to fine a company up to 4% of global revenues for failing to safeguard sensitive client data.
But you don’t have European operations, so you don’t need to worry, right? Well, not exactly. If you have customers that live in the EU, or business partners that operate in the EU, the demands of the GDPR may have already landed on your desk. And even if they haven’t, this type of regulation is likely to make its way across the Atlantic in the near future. It’s in your best interests to get on board with the new rules.

What's changed and what's in store?
The first 100 days since the GDPR came into effect were unremarkable, despite a noticeable increase in complaints about the misuse of personal data. However, almost immediately after the 100 day mark, British Airways reported a massive breach of customer data. Initial reports from RiskIQ named a group of hackers known as “Magecart” as the suspected perpetrators behind last week’s attack. We still don’t know the extent of BA’s culpability in the breach that saw more than 300,000 accounts compromised.
Regardless of who is to blame, in 2018 we know that even if an organization takes all proper precautions, a data breach is nothing short of inevitable. Still, in direct contrast to the many cautionary tales out there of what NOT to do when it happens to you, BA took all of the right steps to restore customer trust. They informed customers immediately, confirmed that passport data was safe, outlined action plans, brought in authorities, and alerted the regulators.
Crisis averted? No. The next day close to CAD 900 million was wiped off the market value of BA’s parent company. Why? If BA is found to be out of compliance with the demanding protection laws of the EU’s GDPR, then the UK regulator could fine BA up to 4% of global revenues – that’s a fine of over CAD 1.5 billion. What does it really mean to be compliant with the GDPR?
The EU's GDPR demands that companies MUST:
- Obtain EXPLICIT consent from customers when processing or collecting sensitive personal information. This is mandatory. Customers must opt-in after seeing a statement that defines the data to be collected, how it is used, how long it will be stored as well as any associated risks. Firms must re-acquire consent whenever they repurpose the collected data. There is no grandfathering in, and customers can withdraw consent at any time.
- Respect the right to be forgotten. If a customer withdraws consent, they have the right to request erasure of any personal information that’s been collected. The challenge lies in determining where all of the customer’s information resides, how it can be deleted, and whether you have shared this information with third parties. If yes, you will have to confirm that any third parties have deleted the information as well.
- Conduct Data Protection Impact Assessments before undertaking any project that places personal data in permanent storage. The purpose of the assessment is to confirm compliance with privacy regulations, determine the impact of using the personal information, and more.
- Employ a Data Protection Officer if the companies make use of customer personal data and have over 15 employees.
- Report data breaches within 72 hours of discovery.
- Deploy data encryption and other technical precautions when collecting and processing sensitive personal information.
Your next steps:
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.