The EU GDPR legislation explained
Recently, a regulatory act was announced that affects many businesses as well as retailers using cloud technology to store customer data: the GDPR (General Data Protection Regulation). This regulation requires businesses to protect the personal data and privacy of EU consumers for transactions that occur within EU states. Non-compliance could cost businesses significantly, so read on for everything you need to know about the GDPR and how it could affect you.
Related: How Clickatell is maintaining GDPR compliance
What is the GDPR, exactly?
The GDPR was adopted by the EU governing body in 2016 and has been enforceable since 25 May 2018. It is designed to update the existing Data Protection Directive, and businesses will be required to protect the personal data and privacy of EU residents. The act also regulates the exportation of personal data outside of the EU.
The aim of the GDPR is to unify approaches to data security and privacy. Because the regulation is standard across all 28 EU states, companies have only one standard to meet, but that standard is quite high and most companies will have to make a large investment to meet this standard.
The GDPR exists due to public concern over privacy and security of personal data and for years, Europe has had a much stricter view on how companies can use the data of their residents. In 1995, the EU governing body introduced the Data Protection Directive, which the GDPR will replace. The outdated regulations of the Data Protection Directive needed to be replaced due to the changes over the decades in how data is stored.
For businesses, it is important to note that in recent data privacy and security report, 62 percent of consumers said they would blame the business for their lost or compromised data, rather than the hacker. If you deal with EU consumers, this is something to bear in mind.
Not only applicable to EU companies
The GDPR does not only apply to companies within the European Union, but companies that hold the data of EU residents will need to comply too. Compliance may be tricky, as the GDPR takes a wide view of what it considers to be personal identification information.
The penalties will be much more severe
Data Protection Authorities (DPAs) will have the authority to issue severe penalties for breaches of personal data. One important thing to note is that there is a tiered approach to the fines under the GDPR.
The maximum fine is 4 percent of annual global turnover or €20 million, while less serious infringements such as failure to notify a client about a breach are 2 percent of global annual turnover. These fines for security failings are much stricter than those already in place, and for those who use cloud technology, it is important to know how much you could be fined for being hacked with ease.
Explicit consent is needed from consumers
Companies will need to obtain explicit consent from their consumers to use their data, and will no longer be allowed to use drawn-out and confusing legal terminology to do so. Consumers will now also have the right to data portability, which means they are allowed to transmit their data to another controller.
Consumers will also have more control over their personal data, such as being able to exercise their data erasure rights or the ‘right to be forgotten’. This means that Google, Facebook, Twitter, and other sites will no longer have the right to index information about you from the past. The GDPR will allow consumers to ask for old, inaccurate, or even just irrelevant data to be removed from search results.
Why GDPR compliance is difficult in the cloud
Organizations that process data through cloud services face some unique challenges in preparing for the GDPR rollout. This is because the GDP is complex in the cloud. You will have to ensure that the data protection services at all of the platforms you use, such as Dropbox or Salesforce, are compliant, which can be difficult.
Some businesses use as many as 608 cloud apps, making compliance a veritable maze of confusion. A recent survey found that only 12 percent of almost 200 IT organizations understood how the GDPR would affect their cloud technology services. In order to ensure that their data storage practices comply with the regulations, these companies will first need to understand the implications of the GDPR on their businesses.
Studies have shown that only about one percent of cloud providers give users encryption keys that the customer manages. Only a small amount of these providers have secure password enforcement that complies with the robust standards of the GDPR.
Data controllers, also known as data owners, are banks, credit card services, retail stores, health providers, charities, membership organizations, and every other business that collects data from consumers. Data processors are cloud technology service providers. When the GDPR comes into force, both of these parties are responsible for protecting data and bear equal liability.
Impact on the Information Security industry
Much of what is included in the GDPR is what information security professionals have been touting for years. Two-factor authentication and encryption are security protocols that have been a part of many information security companies for years, but with the introduction of the GDPR, these will have to be improved and enhanced to meet the standards.
While the legislation should not be anything new to those in the industry, the GDPR does change what products can be offered to clients, as well as what services they can make use of. Globally, information security products have been designed with ‘security first’ in mind, but this does not always mean that privacy is also first. The GDPR standards will now have to be built into any products developed by cybersecurity vendors, otherwise, they will be removed from the market.
Information security professionals are, by nature, one step ahead of their customers when it comes to regulations and directives. This means that these experts will need to have a keen understanding of the new standards being released in order to help their clients comply with the new regulations.
As an information security professional, you may have to undertake a few months of training to prepare for the new regulations that are being rolled out. The GDPR will require at least 75 000 data protection officer positions to be filled worldwide and filling the DPO position in a non-EU country could prove difficult. Clients may also ask to see if your DPOs and other professionals have the relevant qualifications in line with the GDPR.
Where do we go from here?
For many companies who use and store consumer data, the GDPR is a wakeup call to practice stricter data security measures, and for some, it has become a scrabbling race to put these into place. The deadline is looming, and with severe penalties, nobody can afford to miss it.