The General Data Protection Regulation, or GDPR enforcement date, is quickly closing in. It’s a sweeping and relatively new form of legislation that will change the current landscape considerably. How so? Well, it puts a lot of pressure on organizations to bolster advanced data security and privacy.
More specifically, it’s a European regulation that will go into effect on May 25, 2018. It’s an update to the existing directives or legislature called the Data Protection Directive.
What is GDPR and what will it do?
The General Data Protection Regulation (GDPR) — which will be enforced across the entirety of Europe, including the UK — is meant to offer protection and privacy controls to the country’s citizens. Not only will they have more power, but a unified set of rules and standards are also being established to boost security and protections. There are a variety of new precautions and processes organizations will need to follow concerning all information, but mostly consumer data.
Although it’s strictly an EU law, that doesn’t mean it won’t spread elsewhere. In fact, the GDPR will have a global impact when it goes into effect. Any business, brand or team that holds, collects, stores or processes personal data from citizens of the EU will need to follow the guidelines and specifications outlined in the law. It doesn’t envelope consumers alone, either — it also includes your employees, personnel, clients and prospective clients based in the EU.
Should you choose to ignore the law, you can face fines of up to €20m or 4% of your global annual turnover.
What rules apply?
The rules set forth by the GDPR are quite complex. But, we can break them down so they’re easier to understand and follow — here’s an excellent infographic that accomplishes the same.
GDPR restrictions adhere to the following concepts:
- Know what data you have collected and stored, and why you have done so
- Ensure the data is structured and maintained properly
- Identify the responsible parties — who owns the data — and ensure they have access to the necessary security measures
- Encrypt sensitive information that you or anyone else would not want to be exposed
- Establish, deploy and maintain a security-aware culture within your organization
- Be prepared in the event of a breach or attack, so you can respond quickly if it does happen
Not much should stand out from standard security operations — that is, if you already value the privacy and protection of the data you have available to you. And you should, because just about every form of information is stored and accessible from the cloud these days, including your shopping habits, the places you visit, the conversations you have with friends and family, your emails, your medical records and too much more.
“We don’t keep things locked in our hard drives [anymore], instead we let services like Dropbox store them for us, just as a bank store most of our money.”
Today, everything is stored as data, most likely on a public network. Security and privacy should be a primary concern for every business and or individual.
Customers, personnel and anyone else you serve all care about their privacy and security. It’s just good business to at least enforce security protocols and make sure the data you are responsible for is, for the most part, protected. Don’t store raw data on a public server, always encrypt sensitive information and content, deploy the appropriate authentication measures and systems and maintain proper security — via audits — over time.
What impact will it have on businesses?
Compliance and adherence to regulatory measures are the number one concerns for lawmakers and would-be enforcers. That means these concepts should also be your utmost priorities when serving EU citizens if they aren’t already.
Farming out or “siloing” security is not a good idea in the current landscape — heck, it never was. Instead, you’ll need to ensure you embed security, protection, privacy and related protocols into the fabric and foundation of your business.
The most significant shift, of course, will be educating and training every single person, employee and partner involved in the data chain. There can be no more weak links, per se. Everyone needs to get involved, and everyone needs to work together to maintain proper security and privacy.
Expect for your spending on security to increase, but also for the training, deployment, tools and software to become prominent concerns — and investments.