With the increased number of global data breaches focusing on PII (Personally Identifiable Information), The EU (European Union) and Great Britain have promulgated the General Data Protection Regulation (GDPR), delineating how the personal information of EU citizens will be protected, shared, stored, processed and managed. The General Data Protection Regulation will replace the Data Protection Directive 95/46/EC. The goal of the GDPR “is … to standardize data privacy laws across the EU with the main objective to ‘protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” Organizations will be held to a much higher standard regarding how the personal data of and for EU citizens is managed.
Who is impacted by GDPR? What Data Categories are Protected?
All EU countries and partners are affected, as are all organizations which offer goods or services to EU residents, and/or which collect, store, transfer, or process the personal information of any EU resident. The data categories protected by GDPR include the “usual suspects,” but are not specifically limited to the following: any information related to a natural person, referred to as ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from names, photos, email addresses, financial and health-related information, bank details, law enforcement activities, posts on social networking websites, or a computer IP address. Renewed and particular emphasis is given to data that can be used to be behavior-predicting algorithms. Use of employment, social media, political speech and activity, and health-related activity data is protected, particularly if such information is “processed” to predict behavior.
When does GDPR go into effect? What are the range of possible effects of non-compliance?
GDPR becomes effective May, 2018. Any organization which is not in compliance by that date is subject to maximum fines of up to 4% of annual global revenue or €20 Million. GDPR has also established a tiered system whereby organizations can be fined up to 2% of annual global revenue if their record-keeping is not compliant, or they have failed to properly notify governing authorities and breached individuals of any disclosure or destruction of personal information, or if they fail to perform a required impact assessment. For purposes of imposing fines, there is no differentiation between controllers (collectors of personal information) and processors (either in the EU or otherwise, who process the personal information of an EU resident), so “clouds” will not be exempt.
Global Impact is Helping, Not Hurting
Every organization is vulnerable to a data breach. The fact that payment card information (PCI) is no longer the only focus of cybercriminals has forced countries to rethink how personal information is shared and protected. Revealing personal information can have much broader and longer-term consequences, and will continue to plague organizations which do not properly secure data containing personal information. Given the GDPR’s emphasis on the role of personal data in the use of predictive behavior algorithms, Government enforcement actions appear to be much more likely under the GDPR. Other risks of non-compliance are those usually associated with data breaches: lost customers, class action lawsuits, government enforcement actions, and lower stock prices are among the many possible consequences that lie in wait for organizations which ignore compliance requirements. The EU is setting the right example for countries worldwide in creating a detailed framework of regulatory oversight covering all aspects of handling the personal information of its citizens and residents.
How organizations secure their data and adhere to the protocols established by the GDPR will greatly reduce the disclosure/breach risks that organizations must manage, which will hopefully result in higher levels of organizational data security. The GDPR will certainly require internal resources and financial commitments from companies and organizations subject to the GDPR. But that investment is well-spent, and as with PCI compliance, compliance with the GDPR is going to be a part of everyday life for any enterprise organizations doing business in the EU. The financial consequences of ignoring or failure to comply are simply too severe.
Stay tuned for Part 2 of 3 where we will discuss controllers, processors, and the governing bodies which will enforce the GDPR. Additionally, in Part 3 of this blog series, we will discuss TokenEx’s compliance program and TokenEx’s role in assisting organizations in becoming GDPR compliant. TokenEx is the industry leader in cloud tokenization. Follow us on Twitter and LinkedIn.