- Single set of rules applying to all EU member states
- Applies to organizations accessing data from EU citizens
- Requires businesses to build in reasonable standards of data protection by default
- Data cannot be collected without consent
- Companies must appoint a Data Protection Officer
- Data collected from EU citizens must be semi-anonymized (by encryption or other means) so that it can’t be traced back to the person it was collected from
This list only barely approximates the scale and scope of GDPR compliance. This regime makes so many changes to the way privacy is practiced in the digital realm that it’s beyond the ability of a single article to capture. Rather, let’s focus in on a way that the GDPR will affect one of the most ubiquitous technologies currently in use: email.
Regulating Email Under GDPR Compliance
Email is an inherently leaky technology. It is stupidly easy for workers to accidentally email sensitive customer information in the clear. In addition, the relevant US agencies love to levy fines. Under HIPAA, for example, $15 million in fines were levied in 2016 alone. The largest HIPAA fine, assessed in 2013, was $5.5 million. Given the ease with which email leaks data, and the draconian nature of US agencies, should businesses be worried about email under the GDPR?
The answer is yes and no. Under the GDPR, the Office of the Information Commissioner can assess a maximum fine of €20 million, or 4% of a company’s global revenue, for a severe data breach. That’s a lot of Euros, but the EU’s information commissioner has historically been reluctant to use their power. The office has never laid down its maximum fine of €500,000, and the largest fine it’s demanded was for €400,000 following the TalkTalk data breach.
While this is certainly good news for enterprises that might easily be able to absorb a fine of roughly half a million dollars, it’s less good for smaller companies. There is still good news for these companies, however, because the GDPR contains an accountability provision.
Essentially, companies need to prove—via their use of software tools, corporate training, and policies—that they’ve done everything in their power to mitigate potential data breaches. Using this rubric, the information commissioner’s office might assess that even if a data breach occurs, the company did everything humanly possible to prevent it, and thus is not liable for heavy fines.
Protect Yourself Under the GDPR with Safe-T
Education on its own won’t prevent workers from accidentally breaching US and EU regulations against transmitting customer information in the clear. Automation, not education, is the magic bullet that can prevent companies from running afoul. Safe-T offers built-in automated decryption, detection, and access policies to prevent workers from breaking compliance—and can save companies from hefty fines. Here’s some more information on how Safe-T can help your company adapt to the GDPR, and make sure to check out our GDPR guidelines so that you’re not caught off guard come 2018.