David Thomas, CEO of Evident ID
After a busy year of increasing data breaches and threats to personal data across the globe, a major data privacy protection reform effort from the European Union is barreling down the pipeline. It’s an important step forward for consumers’ rights and safety; however, companies around the globe now have the challenge of getting protective systems in place and must re-evaluate how they manage personal data. And the stakes for noncompliance are significant with reform becoming standard policy in just a few short months.
What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU edict designed to improve the overall standard for data privacy while synchronizing data privacy laws across Europe. It will change how a wide range of businesses handle, hold, store and protect information. Its official and inflexible enforcement date is May 25, 2018, a mere four months away.
In addition to specific country requirements, businesses have to meet a minimum standard across all 28 EU member countries as part of the GDPR requirements. This standard is significant and will likely take a large investment to meet. One PWC survey showed 68% of companies expect to spend from $1 million to $10 million.
Who does it affect?
GDPR’s increased geographical scope is arguably the biggest change in European data privacy regulations. The new rules apply to all companies residing in any of the EU’s 28 member states as well as companies based outside of the member states that process and store personal data of EU citizens. Additionally, the regulation takes a wide view of what constitutes personal identification data – ranging from social media posts to an individual IP address.
Why is it important to me?
Noncompliance penalties for GDPR regulation are steep: up to €20 million or four percent of global annual turnover, whichever is higher. This marks a huge change in scale for potential penalties. For example, Facebook received a €1.2 million penalty in Spanish courts this past year for the sharing of profile information to advertisers. That type of information sharing will carry a much steeper fine once the regulatory change goes into effect. Businesses that fail to adhere to these new rules also expose themselves to class-action lawsuits from victims in and all 28 separate member countries, let alone damage to their brands and commercial reputations.
Four short months is not much time to understand the GDPR’s many moving parts and build out internal processes in order to reach compliance. And remember, it’s not just about meeting compliance by May. It’s also about creating a system that supports sustainable compliance. GDPR is the new standard and there’s no going back.
How hard could it be?
Several requirements will challenge your security team, but we wanted to highlight three important components that could require major operational overhauls:
- Stronger consent conditions
Companies are allowed to store and process personal data for a specific use case only when an individual consents. According to the EU’s GDPR website, the request for consent “must be given in an intelligible and easily accessible form.” And once a company is permissioned to use an individual’s data it must only be used for the purpose as defined when the initial consent was given, and if the person no longer wishes to engage with the company for the initial intended purpose, their personal data must be removed from the appropriate systems.
- Mandatory breach notification
As stated on the EU’s GDPR website, companies must report a data breach to supervisory authorities of each EU country within 72 hours of when said breach was detected. Individuals affected also must receive notification “without undue delay.”
- Privacy by design
Businesses are now legally obligated to build data protection into information management systems from the outset rather than treat security as an addition. Patchwork fixes will no longer cut it.
Only time will tell how businesses respond to this watershed moment in data security. 2018 will be a year of changes across the cybersecurity landscape starting with this critical shift in regulatory requirements for companies. The sooner companies start to evolve their security management protocols, the safer both their customers and their businesses will be.
Bio: David Thomas is the CEO at Evident. He is an accomplished cybersecurity entrepreneur, having held key leadership roles at market pioneers Motorola, AirDefense, VeriSign, and SecureIT. He has a history of introducing innovative technologies, establishing them in the market, and driving growth – with each early-stage company emerging as the market leader.