hexagons with icons in them along with GDRP in one

What is GDPR?

The General Data Protection Regulation (GDPR) is a strict set of EU regulations that governs how data should be protected for EU citizens. It affects organizations that have EU-based customers, even if they’re not based in the EU themselves. The GDPR was initially approved by the European Parliament in April 2016 and finally came into effect on the 25th May 2018.



Explaining What the GDPR Is

The GDPR is essentially a set of rules designed to give EU citizens control over the data that is collected on them by organizations regardless of if they’re based in the EU or not. In the process, it also aims to simplify the regulations that are imposed on these companies so that it’s clearer and easier to comply with.

Should a company fail to comply with the GDPR, it can result in fines of up to €20 million euros or four percent of a company’s annual turnover, whichever is higher, if they are found to infringe on the data rights of their customers. The maximum fine is also issued to companies that are found to be involved in unauthorized transfers of personal data and also failing to give their customers access to their data if requested. Smaller fines are handed to companies that fail to report data breaches or fail to build systems that are designed to protect customer data, but these can still range in the millions.

As you can see, the GDPR is not something to be avoided especially if you have a lot of customers in the EU. If you don’t comply with the GDPR then your business, regardless if it’s a store, website or generally anything that processes or saves data, cannot operate in the EU. If your company is already active then you should not open your business to EU residents until you have ensured that your systems are protecting your users. However, if your business is still in the planning stages, then it’s important that you consider the different ways in which you can protect your EU-based customers.

Understanding What Data You Collect

If you want to be smart about how you implement the GDPR then you need to understand why you’re actually collecting information and how you plan to use it. You can start by asking your team what information is collected and identify the uses for that data. Identify the various types of data you have and how it’s related to your business, then remove anything that isn’t related to your business or serves no real purpose. A couple of questions to ask include who you collect data on, how it’s collected and what data is collected. It’s also important to consider why you’re collecting the data and value the types of data that you believe are most useful for your business.

Basic Cyber Security Practices

Standard cybersecurity practices such as ensuring you have a firewall installed and configuring it correctly should be the basis of your data protection strategy. You should also consider antivirus countermeasures should a threat be introduced to your network through external storage media such as a USB drive. The quicker you can stop the spread of a virus, the sooner you can contain the threat and deal with so that it does not affect or steal your user data. These basic cybersecurity practices should form the foundation of your GDPR compliance strategy and cannot be ignored if you want to be accessible to EU-based customers.

Have Protocols in Place for Data Breaches

A data breach is never a good sign for your security team, but it’s essential that you focus on reporting the breach and understanding why it happened so that you can report it to the GDPR authorities. This means that you should have measures in place to detect, investigate and finally report on a data breach. This will include how it happened, why it happened, how you plan to investigate, what your investigation found and then compiling it into a comprehensive document that you can present. By setting up a protocol that your employees are aware of, you can quickly and easily compile information regarding the data breach so that you can fix the issue and also report it to the GDPR.

Identifying Risks and Preparing Countermeasures

It’s vital that you identify the risks that your network may be exposed to. For instance, your firewall may be robust enough to prevent the odd attack, but it may not be powerful enough to withstand a denial of service attack. DDoS attacks are a huge threat to personal data and can easily overwhelm smaller network defenses, especially if they are not updated or configured properly. If a DDoS attack manages to bring down certain network security systems, then it could expose your entire network and the attackers will have free reign over the personal data that you’ve stored.

Increase Awareness Regarding GDPR

It’s also important that you inform your staff about the GDPR and how to stay compliant. This is to ensure that they take extra precautions when it comes to security and how they manage customer-related data, and it should also help them enforce the security protocols that you have established. This may include notifying your network specialists and chief information security officers about potential data breaches and anomalies within the network that could be a cause for concern.

Updating Customers About the GDPR

As per the GDPR, you also need to let your customers know that you’re collecting information from them and also let them know when you’re doing it. Your privacy policy should be updated to reflect this and you should also have a notice on your website that let your customers know about your compliance with the GDPR so that they can request the data you have stored on them. With a privacy policy on your website, you’re letting your customers know that you take data protection seriously and that you vow to comply with the GDPR to offer them a safer and more secure experience when using your services.

The Complete Guide to Cybersecurity Logging and Monitoring

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

man typing on a laptop
Comparing NIST and CMMC
If you’re one of the 300,000 contractors and subcontractors working on projects for the DoD, you’ve likely heard of CMMC. You might have spent the past year thinking of little else. While there’s a...
padlock and credit card
Closing the Security Gaps in Financial Services
The need for good cybersecurity practices continues to be of utmost importance in our ever changing digital age. This is especially true for cybersecurity financial services. Protecting the personal...
Doctor discussing patient health information
Securing Digital Wellness: The Influence of Healthcare Compliance
Have you ever noticed how nearly every cybersecurity blog you read starts off basically the same? In our “increasingly digitized world” or in the “ever-evolving landscape”. I roll my eyes every time...