The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. For many companies – particularly those based in or doing significant business in the EU – it has created a sense of urgency that might rival that of Y2K.
Put simply, GDPR seeks to give European Union citizens more control over their personal data and requires that companies adopt appropriate security measures designed to protect EU citizens whose data is being collected and to help mitigate the risk of a data breach.
It applies to any personal information that can be directly or indirectly tied back to an individual; that includes everything from biometrics to credit card numbers, photographs and device IDs, to name a handful of examples.
GDPR is focused on shoring up privacy and security for consumers, but the upshot is better digital business. After all, data breaches and data loss can negatively impact digital businesses.
Though it is rooted in Europe, GDPR can have far-reaching implications on how organizations, government agencies and companies globally – regardless of size – handle personal data. In addition to impacting companies operating in Europe, it extends to entities providing goods or services to European citizens. For example, a US-based company that sells goods online to services to EU citizens could fall under the purview of GDPR.
The cost of non-compliance? In addition to potential fines of up to 4% of annual revenue turnover, organizations that don’t comply also risk facing legal fees as well as indirect costs, such as negative publicity.
While many larger enterprises outside of the EU have been grappling with this new data protection regulation, more small and medium-sized businesses (SMBs) around the world are also taking note. In the most recent Oracle and KPMG Cloud Threat Report 2018, 38% of SMBs surveyed indicated that they are required to comply with GDPR.
Among that group, 48% indicated that the regulation materially impacts their cloud strategy and cloud service provider (CSP) evaluation process; a full 25% noted that it significantly impacts their strategy and evaluation.
To be sure, organizations of all sizes and across all industries are dealing with increasing amounts of personal data and data security issues. So pervasive is data that, according to The Economist, its global value has surpassed that of oil. With the rise of data comes a whole new level of responsibility for companies to comply with and protect this precious resource.
GDPR aims to do this by promoting the use of best practices and well-established security concepts. It requires “controllers” (such as a customer contracting for services) and “processors” (such as cloud services providers) to adopt appropriate security measures designed to ensure a level of security appropriate to the level of risk that might affect the rights and freedoms of the individuals whose data is being collected and used by the controller (“data subjects”).
There are many facets to GDPR, which contains 99 articles and 173 recitals, but the IT systems that are used to collect, store and handle personal data are the foundation of data protection. Among other things, organizations need to know where data resides, understand their risk exposure, know when it is necessary to modify existing applications, and integrate security into their IT architecture.
As with any new regulation, GDPR has its share of complexities and ambiguities. Nevertheless, the benefits of adopting strong data protection go beyond protecting individuals. In the long-run, SMBs that embrace good security practices are less vulnerable to cyber security incidents, such as espionage, organized crime and insider-related breaches.
GDPR is aimed squarely at protecting personal data, but organizations that take steps to shore up their security and rethink their other data security practices and policies to address their GDPR compliance needs may ultimately come out ahead.