May 25, 2018 is a big day in the world of data security. It marks the deadline for companies to comply with the General Data Protection Regulation from the European Union, regulations that were actually adopted in 2016 to replace the Data Protection Directive, but had a two year runway for companies to use to implement its provisions. Those two years expire on May 25th, which means that companies must comply or risk fines of up to 4% of their global revenue.
What is the GDPR?
The GDPR essentially requires that companies in the EU and companies with users or customers in the EU act with transparency about the data they collect, store, and use. Companies will need to disclose the data they collect and will need to provide this information to users when they request it as well as delete the data if that user asks them to.
Along with this transparency, there’s a roadmap for implementing privacy enhancing controls, such as encryption, tokenization, and dynamic masking. Also, the GDPR will force companies to implement required security controls like access control, activity monitoring, and alerting.
Does the GDPR affect North America?
If you’re an American or Canadian company, it’s tempting to feel like you’ve dodged a bullet, but this is definitely not the case. There really are no such things as borders with online data collection. If information is being sourced from citizens living in the EU, the company receiving the data must comply with the GDPR, regardless of which country the company operates in.
The good news – and there is good news
From a consumer perspective, the GDPR is a positive move towards privacy and protection, two ideas the public highly values in a post-Cambridge Analytica world. Not surprisingly, companies like Facebook and Google are trying to get ahead and comply with the GDPR early.
For everyone else, the GDPR can be an exciting opportunity for companies to really understand how they deal with data – what personal data they collect, what they do with it, and how long they hold it for – and to improve their processes. In the past, there has been an unfortunate trend of collecting as much data as possible because it’s understood that data is valuable, but then neglecting to use or store this data well. With the GDPR, this is no longer a mess that companies can clean up later, once they decide that they want to see just how valuable that data is.
A lack of data organization will only become more significant if a user exercises their right to access all of the data a company has on them and the company needs to sift through countless places and formats to produce or delete it.
Consequences of non-compliance with the GDPR
As we already mentioned, the GDPR does give governing bodies the ability to fine a company up to 4% of their global revenue, but because the shift is a dramatic one, many people believe that the regulations will be enforced softly at first. One of the biggest pieces to consider is that under the GDPR, companies are required to disclose data breaches within 72 hours. Even if you’re still scrambling to organize user data or audit your digital assets, you can disclose any breaches and comply.
Enforcing the GDPR is unique because the public is inherently involved. Companies have 30 days to respond to a user’s request for their data, so instead of answering only to those officially running audits, companies may be held accountable by their own users and customers. No one knows how quickly complaints will be able to be answered or fines will be distributed, but for those wishing to maintain a high public opinion, these requests will be critical.
Where to start: audit and consolidate
Starting with a bird’s eye view tends to be helpful, so set out all of your digital assets in one comprehensive view. This should include items like domain names, DNS, SSL, and even social media usernames. Go through each one with an auditor’s hat on, looking for GDPR infringements across these assets and then address them immediately. After this initial assessment, you will need to regularly monitor your assets and continue to enforce data privacy requirements. Though the GDPR seems like a major adjustment, it could mark a global movement towards regulations like these, so the sooner companies adjust and comply, the better equipped they will be for the future.