Why is GDPR Important for my business? What Security & IT Professionals Should Know.

Why is GDPR Important for my business? What Security & IT Professionals Should Know.


GDPR stands for General Data Protection Regulation. It is the main provision of the Data Protection Act (DPA). This act is designed to help protect the digital data of EU citizens, and ensure businesses are transparent and secure in collecting and processing data. Even if you don’t know what the GDPR policy is, you can read about it here.


Any company that provides products or services to EU citizens will need to strictly adhere to the new policy. If you don’t provide services or products to EU citizens, you will probably need to make changes on how you accept and process personal information.


GDPR – Why should businesses care?


  1. The penalties for violations and non-compliance are severe: There is increased accountability for businesses, and there are eye-watering penalties for those who don’t meet the regulation. Under Article 83 (5), infringements can result in fines of up to €20M or 4% of global revenue. Facebook and Google are already facing substantial fines of almost $10 billion.


  1. Jurisdiction Expands outside the EU: A common misconception is that if you are not in the EU, you don’t need to worry about this policy – this is incorrect. It is the EU citizen that is protected. Therefore, if an EU citizen is browsing on your website or using your application, you need to make sure you are compliant and protect their data.


    Furthermore, it applies to EU citizens internationally, so even a visitor in a non-EU country who is an EU citizen is entitled to the protection. In essence, a large portion of the websites worldwide need to meet this new regulation.


  1. Technical and organizational development: this is core to the new policy, where it explicitly asks controllers (people who control the data) to implement rigorous security frameworks, processes, and controls – all of which should be documented, consistently and repeatable.


  1. Personal Data Expansion: What makes this so pesky, is the expansion on what personal data actually is. Personal data for the GDPR is any information which makes a person identifiable, direct or indirect. As found in: Names (Enquiry Forms), E-mails (Newsletter Sign Up’s), Locations (Analytics Tracking). This expansion of terms is also important to IT professionals, as they include IP Addresses, GPS, Cookies and UDID’s – however, be warned this list is not exhaustive.


  1. Storage Limitation: You must not keep personal data longer than you need it. In fact, by the regulation, you must keep it for ‘the shortest time possible’. Your company must establish how long data can be kept for, and implement processes to erase and update erroneous or outdated information.


  1. GDPR is based on what you do: GDPR is regulation that affects businesses of all sizes even SMEs. It regulates your activities not how big you are. However not all the obligations apply to all businesses, for instance, companies under 250 employees, don’t need to keep a record of their documenting activities unless it poses a threat to individuals’ rights and freedoms. Similarly, SMEs will only need to appoint a Data Protection Officer (DPO), if processing is their main business and poses specific threats to rights and freedoms of an individual – such as monitoring individuals or processing sensitive information.