“headache” (CC BY-SA 2.0) by openDemocracy
With the Data Protection Directive (95/46/EC) set to be replaced in 2018 by the European Union’s General Data Protection Regulation (GDPR), businesses will soon have to adapt. With cyber security now a hotter topic than ever before, businesses are being held increasingly accountable both for their own and their customers’ actions.
In fact, when the GDPR comes into effect in May 2018, it won’t just be businesses inside the EU that must comply with the new rules. Under the new set of regulations, individuals will get more control over their personal data. On an operational level, this means applicable organizations will have to have the following provisions in place:
Mandatory Notifications – If a company suffers a data breach, the GDPR states that said company must report it to regulators and the affected individuals immediately. In practice this means companies will be forced by law to be more open about their security and, importantly, how they store their data. They’ll also be more accountable for it.
Right to Erasure – Individuals will have the right request the deletion of their personal data when this data is no longer needed for its original purposes. In practice, this means companies will have to review the way they process client information because it may be necessary for them to delete specific parts of a data file that are no longer needed, or even the whole data file. Essentially, the company will have to keep its records in order to ensure they’re able to pick out certain pieces of information following a request to delete something.
Privacy Impact Assessment – This lengthy assessment will review all areas of a business with regards to its security provisions, data storage and marketing efforts. What’s also significant is that it will focus on the businesses activities both inside and outside of its main offices. For companies, this will mean provisions for data protection now have to be applied across the board regardless of the expense.
Data Protection Officers – To ensure continued compliance, the GDPR asserts that larger businesses will have to have a dedicated in-house data protection officer (DPO). The EU recommends that a DPO be a lawyer, which means a company will have to factor this cost into their overall budget.
This Isn’t an Issue Businesses Can Ignore
“FIGURE 11.2 360-degree feedback” (CC BY 2.0) by Jurgen Appelo
Given that the operational changes required to meet the new guidelines from the GDPR could be both challenging and costly for many businesses, there could be a temptation for companies outside of the EU to ignore the directive.
Unfortunately, even businesses outside of the EU may have to follow the GDPR. When looking at the guidelines and asking whether the GDPR applies to your business, it’s worth noting that any personal data that originates from the EU is subject to the rules. To put this in context, “organizations of any size in any country that process anyone’s data—if that data originated in the EU—is subject to the GDPR”.
Okay, but what if a business simply chooses to ignore the directive and continue as normal? Again, the EU has thought about this and decided to impose stiff financial penalties on any company not in compliance. At the upper end of the scale, regulators will have the power to fine businesses as much as €20 million (approx. $22 million) or 4% of their global turnover (whichever is greater) in the event they fail to adhere to core principles of data processing, infringement of personal rights, or the transfer of personal data to other countries or international organizations that do not ensure an adequate level of data protection.
To put this in context, when hackers breached Yahoo’s network and compromised an estimated 1 billion accounts, it only became public news three years later. Had the GDPR been in place and Yahoo was compliant, we would have known about this a lot sooner thanks to the new rules. However, if the GDPR was in place and an investigation revealed it hadn’t met the guidelines, Yahoo could have been hit with a $200 million fine based on its 2016 $5.18 billion earnings.
In short, even if the new rules pose something of a headache for businesses, the potential cost in fines clearly outweighs the cost of any practical changes needed for compliance. Moreover, the end result may be a better experience for customers and potentially businesses themselves. By having more control over their data, customers might have the confidence to provide companies more of their information which could benefit companies in the long run.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.