EU GDPR: Get your data privacy act together
The moment of reckoning is on its way for companies that collect or store data on European Union citizens. Last week EU legislators signed data privacy regulations into law, creating what may be the most stringent data protection law in place today. The requirements will not be easy for many companies to meet and will demand financial and personnel resources. There is sure to be criticism that the EU stifles technology innovation. In reality, the GDPR demonstrates a progressive approach to data transactions and the digital economy. The introduction of the regulation states, "The protection of natural persons in relation to the processing of personal data is a fundamental right…".
Essentially, the law codifies the concept that data transactions come with responsibility on the part of the collector. As technology continues to advance, establishing this foundation of trust is a necessary step. Complying with the regulation may seem onerous, but think from the consumer’s perspective. Organizations gather more data than ever. Huge headaches and hardships arise when data is stolen or lost. The regulation puts in place best practices to ensure companies offer a necessary level of security and treat personal data with the respect it deserves.
How Companies Need to Prepare
Organizations have two years to prepare to act as data borrowers, not owners. When you collect data, it is on loan. The lender can ask for that data back, check you are using it correctly, and demand that you do not loan it to someone else without their approval. The principle is simple, but execution will be difficult for organizations with a sprawl of personal data and partners.
The 200-page law is available online, as is an in-depth guide, but here are the seven provisions that will demand IT’s attention:
- Fines Will Hurt: The maximum fine rises to 4 percent of global turnover or €20M, whichever is higher. Previously countries defined their own fines, and punishment rarely amounted to more than "pocket money". The GDPR gives data privacy regulation the teeth it lacked before, which may be the medicine necessary for companies to invest in their information security capabilities.
- No Breach Story Untold: The GDPR ascribes a strict timeline to breach notification. Companies must inform the regional supervisory authority within 72 hours of any data loss. Users should be informed “as soon as possible.” The time frame contrasts with the behavior of many companies who have dragged their feet in notifying the public about data loss. Hopefully more companies will put in place a breach response plan; currently only 44.5 percent of companies have a complete plan.
- No Hiding Behind Borders: Any organization with data on EU individuals has to conform, wherever they are based. Legal experts explain this is true of "pretty much every website and app in the world". This greatly expands the scope of the regulation, since the previous law only applied to companies headquartered in the EU. Every global company should audit for regulated data.
- The Company You Keep: Any company whose hands touch regulated data is covered under the GDPR, in addition to the company that originally collected data. For example, a retailer may share personal data with a marketing consultant, and the latter will also be required to comply with the law. For many companies, especially enterprises, this step will require taking inventory of which business partners receive regulated data -- no small task. The law applies equally to SaaS providers, where companies outsource security when they upload data.
- The Long Arm of the Law: The GDPR permits transferring data outside the EU, but companies remain responsible for lost data. That means there is no abrogating or handing off responsibility. For example, a company can upload data to a non-EU server or cloud provider but retains liability for any data breach.
- No More "Good Cop, Bad Cop": In rulings on past data privacy infractions, certain countries had taken more firm stances than others. Agencies are expected to enforce the law consistently across all EU countries. The GDPR ensures that the same strict law will apply regardless of the local government.
- Covering Your Bases with Encryption: The GDPR recognizes encryption as a saving grace in certain situations. If lost data is encrypted, a company does not need to notify the owner. Companies should look specifically at encrypting fields containing regulated data, especially before data leaves their networks. Implementing encryption wherever possible will be an essential step on most companies’ check lists.
Digital information is the brick and mortar of new business models, but companies currently treat it like a cheap commodity. The GDPR may create headaches for IT people, compliance departments, and even CEOs. Still, the regulation is a necessary evolution for the digital economy. Consumers will receive rigorous and transparent rights over their personal data. Increased fines and broader coverage leave no doubt that data protection is an integral responsibility. Whereas currently the business may choose not to invest in securing data, the GDPR will turn the tables so that companies cannot afford to lose data.
Photo credit: Rawpixel.com / Shutterstock
Nigel Hawthorn is EMEA Marketing Director, Skyhigh Networks and has more than 30 years’ experience of computers, security, networking and mobility. He has a strong technical background and he has presented at security, e-commerce and networking conferences in over 50 countries. His experience has mirrored many of the most innovative areas of computing; Apple and PCs in the 1980s, storage and networking in the 1990s, Internet performance and web security in the 2000s and mobility and cloud enablement in the 2010s.