Breaches and ransomware attacks are more prevalent than ever, and concern for protecting data is mounting on a global scale.
Toward that end, the EU has put forth its General Data Protection Regulation (GDPR), but no legislation can be implemented without having some consequences on the businesses that must comply with the laws. Given that GDPR aims to standardize data privacy laws and mechanisms across industries, there are few sectors that will not be greatly impacted.
Any company that directly or indirectly controls or processes the personally identifiable information (PII) of EU citizens will be affected by GDPR changes. Both terms ‘data controller’ and ‘data processor’ are broadly defined, which means that virtually every company will be impacted by these changes. For small businesses, dealing with these data collection and processing regulations will be overwhelming, if not crippling.
The deadline for compliance is swiftly approaching, yet many organizations are not ready. The individual’s right to data erasure is sure to influence the ways that organizations collect data moving forward, which will require additional resources of both time and money.
Proper preparation or poor performance?
Overwhelmed is a common description of many security practitioners. As the deadline of May 2018 approaches, those in governance, risk, and compliance are joining the ranks of SOC analysts as they rush and scramble to prepare for GDPR.
Few companies–only 27 percent of those who participated in an Alert Logic survey-reported that they were confident they will be ready when the GDPR becomes enforceable in May 2018.
One in four businesses is unprepared to meet the new law that replaces the Data Protection Directive. Despite the stated intention of wanting to streamline regulations regardless of the type of business that is collecting data, most firms will have to re-evaluate their data collection systems and modify their privacy and client consent policies in order to be in compliance.
General counsel across financial and industrial organizations will be burdened with the obvious (but perhaps overlooked) responsibility of ensuring strict compliance without sacrificing an organization’s ability to innovate or respond to market fluctuations.
What’s the hold up?
At issue for most companies is the very point at which they should start to implement changes, particularly because the legislation is the largest ever change to data collection policies across all sectors. GDPR crosses over geographical boundaries into the activities of digital enterprises.
Though it might seem that the greatest impact will be to healthcare, financial, and retail industries, for marketing firms, it is most likely that traditional marketing campaigns will be breaking the law come late May 2018.
The GDPRs broad scope requires any business to obtain client consent in order to collect personal information. As a result, pressure is mounting for human resources and recruiting firms, who will need to increase efforts to protect applicant privacy.
What organizations will likely need is help with putting in the right controls and implementing the proper protocols to defend against cyber threats. Though virtually all sectors will be challenged by these changes, financial institutions face greater obstacles when it comes to the consequences of a breach.
This is a guest post by Kacy Zurkus.