After two years of preparation, the European Union's General Data Protection Regulation is set to go into effect May 25, 2018. Designed to replace the Data Protection Directive of 1995, this legal framework will provide substantial protection for EU citizen's data by imposing heavy fines on any company found to be in violation of the GDPR.
While large companies within the EU have been bracing themselves for impact, many organizations feel unprepared. A report from information security provider Varonis found that 55 percent of businesses worldwide were worried about incurring fines for a GDPR violation. Given that these penalties can be severe – with a maximum fine of €20 million or 4 percent of annual worldwide turnover – organizations may have reason for alarm.
However, arguably the group most at risk are smaller businesses not based in the EU, or companies that don't primarily deal with data. After all, the GDPR is all about regulating data privacy. Yet these organizations may be in the crossfire. Any business that collects data, any amount of it, from an EU citizen or the EU market must fully comply with GDPR standards.
Who needs to comply with the GDPR?
According to the New York University School of Law, any U.S. organization possessing an entity or any kind (person or office) should ascertain if they will be required to follow the new GDPR policy. GDPR standards will apply to all businesses that process any amount of "personal data" from individuals located in, or protected by, the EU.
The definition here of personal data is broad. According to the initiative, personal data is now any information, not just personally identifying information, that relates to a natural person, identified or identifiable. These new standards apply to log-in information, vehicle ID numbers and IP addresses.
"Any operation or set of operations which is performed on personal data or on sets of personal data" will be regulated by the new standard, according to the articles of the GDPR. These broad definitions and regulations have been purposely worded to incorporate not just companies within the EU but global organizations as well. While the GDPR is a Euro-centric law, its implications may create a new global standard of internet data security.
How prepared generally is the U.S.?
Unfortunately, many businesses in the U.S. simply are not sufficiently informed regarding the coming measure. The Varonis report found that U.S. awareness of the GDPR was only at 65 percent, below the overall average of 79 percent. Only 30 percent of U.S. respondents reported being in full compliance with the upcoming laws. Over 10 percent of organizations still didn't know whether the bill would affect them.
When looking at overall measure compliance completion, the majority of U.S. companies affected by the GDPR have re-evaluated data breach detection procedures, as the GDPR mandates that any EU citizen affected by a breach must be notified within 72 hours of its detection. A little less than 60 percent of U.S. organizations have also conducted a comprehensive assessment of personal data stored within their organization.
This procedure is highly recommended for all companies that may even remotely store some sort of personal data from the EU. It is only after such an assessment has been performed that an organization can be sure whether or not it will be affected by the GDPR.
About 7 percent of U.S. businesses had completed no significant measures to comply with the GDPR.
"About 7 percent of U.S. businesses had completed no significant measures to comply with the GDPR."
What does the GDPR mean for data collection?
Personal data collection will become more transparent under GDPR guidelines. Everyone, personally and professionally, is familiar with user agreements, popular on social media sites like Facebook and Google. These documents have been full of dense legalese designed to disguise their intentions and limit consumer knowledge of the websites' activities.
Under the GDPR, these wordy documents will be made illegal, replaced by concise, comprehensible wording that will alert the "data subject" of exactly what information is being taken. The individual will reserve the right to leave said data contract anytime with no negative repercussions allowed. In short, the naive early days are over and the GDPR will arm at least EU consumers will the tools needed to determine what, if any, information they allow to be shared for commercial purposes.
Data protection by design will also be mandated. Companies will have to factor in information security at every stage of data collection software collection, instead of regulating it to outside software or hardware.
How the GDPR will impact overall data collection remains to be seen. However, what is clear now is that many organizations still have work to do before May 25. With such steep penalties for failure to comply, businesses cannot afford to be asleep on this issue, or even to drag their feet. The fundamental nature of information security could well change from this act. Hopefully, it will be for a better, more secure data privacy marketplace.