Approved by the EU Parliament in April 2016, the European Union’s (EU) General Data Protection Regulation (GDPR) is set to go into effect in May 2018. The new regulation will be replacing the 1995 Data Protection Directive and is designed to be a new approach in the way organizations will address the processing and protection of data, particularly the personal identifiable information of EU citizens. In addition to streamlining how all EU member states secure information, the GDPR will standardize data privacy laws across the Union. Since the GDPR is a regulation and not a directive like its predecessor, the policy is binding across all EU member states.
The GDPR goes into effect at a time when substantial breaches have dominated the news, particularly in incidents where users – through no fault of their own – had their sensitive personal information put at risk. The breaches at Equifax and the Office of Personnel Management are two examples of this, the former surrendering nearly half of the population of the United States. One of the most notable aspects of the GDPR, as opposed to its predecessor, is that it focuses on individual EU citizen rights, empowering them to have substantial control over how organizations use, process, and store their information. According to the GDPR, among the individual-friendly rights include:
- The right to refuse to become a data subject. This means that citizens can refuse to have any of their personal information processed.
- The right to be informed. Once you’ve consented and became a data subject, you have the right to be informed about anything that happens with your personal data, what it is used for, you have the right to access it and to modify it and even to remove consent for a certain organization.
- The right to restrict data processing. The individual can restrict the processing of personal data.
- The right to be “forgotten.” In this case, the individual can request an organization to delete or remove their personal data from their systems (one caveat: there are some circumstances in which the data will not be erased at the request of the individual such as legal obligation or public health purposes, for example).
Another notable aspect of the GDPR is its impact on foreign organizations that conduct business or transactions with European companies or with European citizens. The GDPR addresses two categories of organizations – “controllers” and “processors” of information. Per the regulation, care entities that determine the purposes, conditions, and means of the processing of personal data, while the processors handle the data on behalf of the controller. This is important because it requires foreign organizations to fully comply with the guidelines set forth by the GDPR, or else risk suffering fines of up to 4 percent of their annual revenue, or €20 million EUROS, depending on which revenue is greater.
Despite nearly two years since the GDPR was approved by the European Parliament, there is legitimate concern that both European and foreign organizations are not prepared to meet the security requirements outlined in the GDPR. According to a recent Vanson Bourne survey, 625 IT decision makers across Belgium, France, Luxembourg, and the United Kingdom, research revealed that 54 percent of businesses had little understanding of the fines associated with non-compliance; 17 percent of all businesses surveyed admitted that if they were fined under the GDPR the business would close; and 39 percent of IT decision-makers surveyed said that fines would lead to redundancies within their businesses. Similarly, a 2017 conference revealed similar results for U.S. firms as only 22 percent appeared concerned about the GDPR, and more than that 50 percent were unaware of its relevance to their business. Any business should use GDPR experts to help them with the GDPR compliance. For more companies who work with GDPR compliance, check our list of data security vendors.
Nevertheless, the emphasis of organizational responsibility for the protection of civilian data outside a specific geographic region is a noteworthy initiative and may be a harbinger of things to come. In June 2017, China enacted its Cyber Security Law in which it imposed restrictions on certain transfers of data out of China. While not an omnibus data privacy law like the GDPR, it does contain strong stipulations with regards to data privacy and cyber security.
The focus on protecting the data of individuals underscores a change in perspective with how to approach cyber security. And this is a welcome development. Depending on how the EU and China succeed in these efforts could encourage other governments to follow suit in raising the data protection of its citizens at the forefront of its cybersecurity concerns. With the volume of global sensitive personal data already compromised (more than 4 billion data records were stolen in 2016), let’s hope it’s not too late.
This is a guest post written by Emilio Iasiello.