A forthcoming EU regulation is changing the international landscape of data privacy.
Recently, the EU’s new General Data Protection Regulation (GDPR) has been creating rumblings in the media. This sweeping reform will have far-reaching impacts on data privacy when it comes into effect on May 25, 2018.
GDPR will replace a patchwork of legacy regulations instituted across Europe more than 30 years ago. As time went on, the EU recognized these archaic regulations needed serious revision in order to provide adequate data protection in the 21st century -- As a result, GDPR was born.
Even though GDPR is primarily a European regulation, it will likely affect US organizations, as well, not just companies based in the EU.
One of the biggest changes GDPR brings is its dramatically increased scope. Once the legislation takes effect, any entity, regardless of location, will be held accountable if they process or control data of an EU citizen. In today’s global economy, there is a good chance this applies to your organization.
In addition to its increased scope, GDPR also impacts a wide range of personal data. Deliberately broad, GDPR protects EU citizens’ personal data, defined as, “any information relating to an identified or identifiable natural person.” The category of personal data includes: names, identification numbers, location data, IP addresses, cookies, and biometric or health data.
This is an important definition because in today’s data-driven world, both e-commerce and online advertising rely heavily on tracking the behavior of consumers and many of the data points collected fall squarely within the purview of GDPR. Similarly, many cloud services and hosting providers capture and store user data which classifies as personal data under the new regulation.
Data Processing Roles
Another critical aspect of GDPR is the distinction between the different entities which handle data and their unique security obligations. The language of the regulation differentiates the roles of controllers and processors.
A controller is a person or entity who determines the purpose or means for processing data. In comparison, a processor is a person or entity who carries out the actual processing of said data. Apart from their unique relationships to the data, the regulation states, “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Some recommendations include encryption and pseudonymisation of the stored and processed personal information.
Apart from instituting better data security measures, companies will also be held to stricter standards when it comes to reporting data breaches.
GDPR stipulates if a breach “results in a risk for the rights and freedoms of individuals” then the offending company has a responsibility to report said breach to the proper authorities within 72 hours of discovery. Data processors are mandated to report a breach “without undue delay” to the impacted parties.
Monetary penalties for GDPR violations will be levied based on the size of the transgressing company and the severity of the incident. Extreme cases, such as not gaining sufficient consent to process data, could result in a maximum fine of 4% of annual global turnover or €20 Million, whichever is higher.
Had GDPR been in effect a few years ago, Uber would have been in even more hot water after their data breach in 2016. The personally identifiable information — including names, email addresses, and phone numbers — of over 57 Million Uber users across the world were compromised. This most certainly included information of EU citizens. Since Uber delayed reporting the breach to the authorities and affected parties, they would have been subject to some hefty fines.
Uber’s data breach is just one example in a growing number of data privacy incidents plaguing small and large organizations alike. Clearly, companies who control or process the data of EU citizens need to rethink how they ensure the safety of customer data.
Impacts of GDPR
The most immediate impact for companies processing or controlling data regulated under GDPR will be their compliance efforts.
A PwC survey estimates over 60% of US-based companies plan on spending between $1 - $10 Million to conform with GDPR. Specific costs will largely depend on the company’s current data protection procedures and the scope of the data they collect.
While upfront costs appear large at first glance, the benefits of compliance may quickly outpace initial expenditures. With IBM estimating the average cost of a data breach for global companies to be around $3.6 Million, taking action now will save companies big time down the road.
Firms are also beginning to see the positive impacts of data security within the marketplace. In a recent survey, 74% of respondents believed complying with GDPR would give their company a distinct competitive advantage.
A New Approach to Data Security
GDPR emphasizes the need for companies to actively implement new methods of data protection. The regulation itself recommends all data be subject to pseudonymisation, a way in which data is processed so that it is no longer attributable to an individual. This method is an important step and it provides an initial layer of security. However, total data security requires a more foundational approach.
When it comes to our systems, that means addressing privacy and security risks at the lowest possible level -- in the hardware. The processors inside our connected systems need to be redesigned with computing security in mind, to make them immune to cyberattacks. Integrating security directly into the hardware is the only way to guarantee total and infallible data protection.
The global nature and scope of GDPR is changing the landscape of data privacy. As more companies begin the path towards compliance, computing security will become an essential part of this journey.
If you are interested in reading the full text of the legislation click here. As always, subscribe to the blog for frequent updates and industry insights!