When the European Union passed a data protection reform package in May of 2016, it was considered a major legislative event for information security. This package is called the EU General Data Protection Regulation (GDPR). The European Union was the largest world governing body to put into law practices regarding data protection to all its country members. When it is officially applied in May of 2018, many watchdog organizations will observe if these practices will improve the aspects of data protection.
In the market, there is a growing concern with data privacy. Large-scale breaches of sensitive customer information continue to be an almost weekly occurrence around the world with companies spending millions in cyber insurance. When polled, nine out of ten Europeans expressed concern about mobile apps and platforms collecting their data without consent. Even more, those polled voiced their worry that once collected their data may disclose the data to other groups.
In a general sense, the 2016 Reform Package updates and modernizes the principles that were put into place in the 1995 Data Protection Directive. Those privacy rights including some aspects of setting global data protection standards, reinforcing individuals’ rights, and streamlining international transfers of personal data.
This bill markets these rights as a defense to a rapidly changing global market. Rights such as data portability, where one can have easier access to their data from companies and how that data is processed. If that customer no longer wants or uses that specific service, this bill provides a ‘right to be forgotten’ clause which in a sense directs a company that it should no longer retain that individual(s) data. Many organizations retain customer data even after service cancellation for a variety of reasons which provides even more of a shock if/when that organization has a data breach.
Another clause in this bill is better visibility once there has been a breach. It mandates that the company notify a national supervisory authority once there has been a breach so that customers can take proper actions regarding whatever information has been compromised.
All organizations have crisis management processes and procedures. Many times, when a breach occurs, the private entity will game plan how they are going to communicate the intrusion while keeping their reputation intact. This idle time between notification and the actual breach allows the malicious actors to use the stolen information in whatever nefarious ways they have planned.
The concept of data protection by default and/or design is another staple of this legislation which checks on whether precautions are installed into the product during its inception. These precautions would also be configurable with default settings that are friendly to privacy being the norm.
One can see how major players like Facebook now have their privacy settings on a completely different toggle than the rest of its product settings. This affirms the importance of its security settings and further displays how it should be separated from other administrative settings.
One of the more interesting aspects of this legislation is how global companies and organizations will now have to realign their products and services to meet these demands if they sell their product in one of the member states of the European Union. With this reform, the same rules that apply to companies situated within the borders of the EU will also be applicable to a company in the United States that does business with the EU.
Failure to abide by the new rules within the GDPR comes with its consequences. Those consequences are penalties that could be up to 20 million euros depending on the situational aspects of the infraction. This is a huge step in the power of governmental national data protection authorities around the world.
Given that the law becomes enacted next year, many companies are beginning the scramble to make sure that they are compliant with the sections within the package. This may provide some hurdles for many organizations. The redesign of systems that process personal information could have to be made on top of renegotiation of many third-party contracts that handle company data. All the above requires both human and financial capital that a company may or may not have. A new global recession, for instance, could cause the lack of resources to comply with the new mandates.
The United States, with its own laws regarding data protection, will most definitely be watching how both the implementation and administration of the GDPR is handled. With the U.S. Congress looking more and more into mitigating cybercrime and the protection of data privacy, legislators will use this example on why (or why not) to implement a reform package within the states.
With a rapidly changing global market, only time will tell if these types of legislation will help its constituents. In the meantime, here are some guides to help secure your data yourself:
https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-information-safe
https://www.howtogeek.com/108033/the-top-10-tips-for-securing-your-data/
https://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure
