Despite having almost two years to prepare for the General Data Protection Regulation (GDPR), there are companies across the globe that have done little, if anything, to avoid the hefty fines for non-compliance, despite being directly affected by the new law. In fact, businesses that fail to comply with the new standards for data collection and privacy by the May 2018 deadline could face fines of up to 4 percent of their annual revenue or 20 million euros, depending on which is higher.
A big reason for the lack of preparedness is a misunderstanding of what businesses will have to do to comply in the first place. While the legislation comes from the EU, businesses don’t have to be based or even have a point-of-presence in the Euro zone to face hefty fines. Any business, regardless of where it’s based, that has customers in the EU or collects private, personally identifiable information (PII) of EU residents are held to the same standards.
Who will be most affected by GDPR?
The fact of the matter is that there are very few businesses that contribute to the global economy that this new regulation won’t touch. Whether you are a small e-retailer that sells niche products to a select few customers in the EU or a global behemoth on the scale of Amazon, you’ll need to cross check your existing policies with the GDPR.
This is the biggest point of confusion for most businesses, as the GDPR doesn’t necessarily speak to data sovereignty so much as a business’ behavior and efficacy in providing the best protections. It emphasizes a point that many security experts have been harping on for years: data protection is an ongoing battle, not a matter of installing solutions once and expecting your problems to be resolved.
To drive this point home, Article 35 of the GDPR makes it mandatory for certain businesses to boost their manpower to assure defenses against data breaches are constantly being tested and bulked up.
Any organization collecting a subject’s genetic data, health information, racial or ethnic origin, or even religion will need to appoint an officer that can act as a dedicated point of contact for authorities monitoring compliance. This can’t just be any member of IT whose read up on the latest compliance standards, as Articles 36 and 37 explain in depth just who meets qualifications for these roles – generally, career enforcers with a history of dealing with authorities – as well as their responsibilities within the company.
What are the main sticking points?
Along with allocating manpower that will specifically be tasked with vetting these details to assure compliance, there are a few key points of the legislation that businesses will need to zero in on as a starting point. There are more than 91 articles within the GDPR spread across 11 chapters, making it a hefty document for IT to parse through.
Articles 23 and 30 are the areas of the legislation that should look the most familiar to teams already implementing data privacy protocols. Many of the measures here are relatively baseline in the context of the current cybersecurity climate, putting into law many of the practices that most businesses would have already needed to implement to succeed in a global market. These include implementing gateways to inspect web traffic that might be accessing or transmitting an organizations customer data, along with encryption that speaks to the latest security protocols – Transport Layer Security (TLS), for instance – most internet traffic adheres to.
The GDPR also goes to great lengths to give customers more control of their PII, especially information that gets automatically processed by services they do business with. Articles 17 and 18 dictate the “right to portability,” for instance, which allows subjects to transfer their PII between independent service providers with greater ease, as well as the “right to erasure,” where subjects can request that a business scrubs their PII from their data stores under certain extenuating circumstances.
The driving factor here is to give customers greater choice in the services they take advantage of, not beholding them to certain contracts that might be making their PII vulnerable to a data breach.
Data breaches specifically are discussed in Articles 31 and 32. The former holds businesses to a 72-hour deadline to alert customers who were subject to a personal data breach once the company uncovers the compromising incident. Article 32 takes this a step further by requiring data controllers waste no time in notifying compromised subjects, or else they could face immediate penalties and have a weakened defense should litigation take businesses to EU courts.
Article 79 is the guideline that all members of an organization need to keep top-of-mind, as it details the penalties for non-compliance; specifically, what kinds offenses warrant the intimidating 4-percent-revenue penalty mentioned above.
The good news for many businesses that have been dragging their feet is that a lot of the protocols that the GDPR makes law are already roundly considered best practice for any business taking part in the digital economy. Despite this, the GDPR protections are more wide-ranging than any preceding measures taken on a multi-national scale, so businesses need to be vehement in cross checking their existing security infrastructure with the GDPR to avoid penalties that no business can easily afford to stomach.