On May 25th, 2018, the European Union’s new General Data Protection Regulation (GDPR) will go into effect. Created to provide individuals with enhanced control over their personal information, GDPR standardizes data privacy laws across Europe while increasing the transparency with which organizations approach this hot-button issue.
At its core, the GDPR makes a bold claim: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” Operating under the assumption that data collection and processing are the backbones of modern business, GDPR sets out to shield that data from bad actors along every step of the information superhighway. Backing up that move are steep new fines for any data privacy breach: up to 20 million Euros or 4% of a company’s total global revenue.
Most American laws and regulations favor businesses over consumers, but for decades the European Union has subscribed to a more consumer-first perspective. Now, GDPR will attempt to set a global standard for data privacy. The United Kingdom, which voted last year to leave the European Union, will implement its own Data Protection Bill that largely matches GDPR guidelines.
It will take time for a precedent to be set in terms of GDPR adoption in the United States and Canada. But a PricewaterhouseCoopers survey in early 2017 found that more than 90% of American C-level executives considered GDPR compliance “a top priority” on data privacy and security agendas. A survey conducted in late 2017 by the International Association of Privacy Professionals found that 84% of US respondents expected to be prepared for GDPR by May 2nd. So American companies are paying attention.
And that makes good business sense. Data can be transmitted around the globe in seconds, and under GDPR regulations, EU citizens will be protected no matter where their data travels. What does that mean? If any company anywhere in the world maintains a database of information including that of EU residents—or uses the Internet to market targeted goods or services to EU residents—that information is bound by GDPR rules. American companies with a global focus (think hospitality, travel, software, and e-commerce) can either block EU users altogether or implement specific processes to ensure compliance.
Notably, businesses of all sizes must comply with GDPR, which requires that consumers have multiple options for controlling, monitoring, anonymizing, and deleting personal data where desired. Specific and affirmative consent will be required for data sharing, while data breach notification is mandatory within 72 hours of its discovery. Clearer communications, a reiteration of consumer rights, and extra protection for children are also included in GDPR’s recommendations.
New processes, standards, and safeguards for handling data will likely become the baseline thanks to GDPR. But businesses that already take privacy-related threats seriously will do better when the regulations kick in, no matter how they’re enforced in the United States, Canada, the European Union, and beyond. For now, consider these basic strategies when contemplating GDPR’s impact on the future of data privacy:
The best way to understand GDPR and its compliance requirements is to work now to conduct an accurate assessment of your present processes. Doing so can help you identify high-risk areas and fix any problems, whether they relate to GDPR or not.
Your employees act as your first line of cyber defense, and anyone who handles data can be empowered to enhance security and help the company comply with new privacy requirements.
The number of tools is endless, but multi-layered defenses are now the norm. Consider data encryption, strong firewalls, anti-malware and anti-spam software, network management, proactive monitoring, email archiving, and regular data back-up as must-haves for any modern business.
This includes email service providers, customer relationship management software, and outside agencies that assist your company with its data. Similar to HIPAA rules in the United States, you can be held responsible for data breaches made by data processors you work with.
The average American consumer may not know much about GDPR. But in this day and age, demonstrating that your company adheres to stringent data privacy regulations can be a major selling point. Once an IT provider helps your company enhance its cybersecurity, don’t be afraid to use such compliance as a competitive advantage.
Although GDPR only applies in the European Union, for now, the stage is set for a global shift in data privacy laws. Taking such concerns seriously is imperative for any business, big or small, with its eye on the future—why not work now to make data more secure instead of waiting to become a data breach headline down the road? If you have questions about your company’s current state of cybersecurity, contact CMIT Solutions today. We worry about IT so you don’t have to.