Security is a critical part of what we do every day. We try to protect our passwords. We make sure no one is shoulder surfing when we type in our PIN codes. And even when our information leaves our control we’re still hoping that other people take as much care with our data as we do. But how will they do that?
There Ought To Be A Law
If you live in the European Union (EU), 2018 is going to be a very interesting year for your data security. A new law is set to go into effect that codifies a host of best practices. That law goes a long way to making sure that any company that holds your data is doing a good job of keeping it safe.
The General Data Protection Regulation (GDPR) was approved in April 2016 with a 2-year implementation period. We’re now coming to the time when GDPR must be completely implemented as law. Because it was adopted as a regulation it doesn’t require the member nations to vote on adopting it. If you live in the EU you are covered. If you are a business that works with people living in the EU you must agree to abide by the regulation.
What’s involved in GDPR? The regulation itself is large and encompasses a lot of things, but it breaks down into a few key areas:
Protections For People
- People have to give their consent to have their data stored in your organization. The language must be clear and not legalese.
- People have the right to ask if their data is being stored by your company at any time. You must provide a list of the data being stored.
- People can ask for the data that you are storing in a portable format at any time. That data must be able to be imported into a different IT system using standard protocols.
Protections For Data
- Data collected must be secure at all points from collection to storage.
- If you are an organization that specializes in data storage and processing and you have more than 250 employees, you have to have a dedicated Data Protection Officer qualified to do the work.
Protections From Theft
- If a customer asks to have their data destroyed at any point, you must comply. People have the right to be forgotten.
- If your data storage is breached in any way, you must report the breach no later than 72 hours after detection.
Truth of Consequences
Violations of GDPR carry heavy penalties for the company holding a person’s data. They can be fined a minimum of €20 million or 4% of their annual revenue (called turnover in the EU), whichever is greater. That’s a huge stake to ensure that they are keeping your data private and secured.
This sounds stiff, but is is really a huge issue for companies? I would argue that the companies that have been storing things the “right way” so far need not worry. They may have to hire a Data Protection Officer to monitor things, but aside from that GDPR feels more like a formal collection of things that have already been done or needed to be done.
Companies that are worried about GDPR adding significant overhead likely haven’t been doing one or more of the above things already. They’re scrambling to implement the necessary protections before the deadline and need to spend significant cash to be compliant. If you’re dealing with a company that isn’t holding up their end of the bargain or if you think someone might be endangering your personal data, you need to do something. Ask them for their policies as outlined above. Tell them that you’ll report them if they don’t give you an answer. The only way GDPR has teeth is if you bare them when necessary.
Bringing It All Together
GDPR takes some of the things that we’ve seen being developed around data privacy and gives them a platform for adoption. Now, businesses that collect data must adhere to these regulations or face penalties. Think about how swiftly we would have seen change in the industry if Target or Home Depot had been fined 4% of their yearly revenue for failure to secure our data? Think about the budget for data protection if the alternative is a huge impact to the bottom line? What if the consequence is more than just years of practically worthless credit monitoring?
GDPR isn’t a looming issue. It’s a real law that will serve as the prototype for privacy laws for years to come. The more businesses follow it and believe it when it comes to keeping customer data safe, the more likely it is that we will see far-reaching privacy standards implemented world wide.
I agree that GDPR compliance is challenging – no question about it – so thanks for the helpful information. I think it’s important to note (at least from what I’ve seen) that scope must be determined early on and that quite a bit of documentation needs to be in order. Scope in that controllers and processors need to be aware of what personal data are they storing, processing, and transmitting for EU data subjects. I’m also finding that GDPR compliance for U.S. businesses is quite challenging because the almost overwhelming amount of information that needs to be consumed and understood by internal compliance personnel – it’s quite a bit to say the least. Good luck everyone on GDPR compliance.