The European Union’s General Data Protection Regulation (GDPR) came into play on 25th May 2018, designed to protect the personal data of consumers and make organizations more accountable on how they handle such information.
Built upon the existing Data Protection Act (DPA) 1998, GDPR is the most comprehensive data privacy standard to date. Its implementation is a response to the rise of data breaches, sensitive card information leaks, ransomware attacks and other malicious cyber attacks impacting businesses and consumers across the world.
GDPR includes strict guidelines for organizations, including:
- Recording how and when an individual gave consent for their details to be used. Consent must be an action and affirmative action, not simply a pre-ticked box on a web form.
- Being transparent to how data is used, how long it is stored for and who gets to see it. Consumers may also demand direct access to review the information stored about them.
- Responding to the consumers have the right to demand that their data is deleted, commonly referred to as the ‘right to be forgotten’.
- Reporting a data breach within 72 hours of being aware of it to the Information Commissioner’s Office.
Organizations that do not comply with GDPR will face heavy fines, up to €20m (approximately £17.8 million) or 4% of turnover, whichever is greater.
Additionally, research by security experts Thales also suggests that 79% of consumers would not do business with an organization that didn’t comply with GDPR and 58% of respondents claiming they would at least consider legal action.