On 25th of May, General Data Protection Regulation (GDPR) will become a key document protecting the privacy of European Union (EU) citizens. It will change the way companies handle private data of their customers.
Today, lots of companies don’t meet the data protection requirements that this new legislation is requiring. The companies all around the world are struggling with a necessary but complete upheaval of the way they process user data.
What is General Data Protection Regulation?
- GDPR is the framework for new data protection laws in the European Union by the new, complex, abundant ways we are now using data.
- It will replace the 1995 data protection directive. GDPR is trying to fix the holes that exist to protect consumers.
- It is an attempt to make regulations more cohesive and unified across the entire EU, making it simpler for businesses to operate following the laws.
- It introduces harsher consequences for non-compliance and breaches. It also gives consumers more input on what companies are doing with their data, requiring consent for data usage.
- Under the new legislation, controllers must ensure personal data is “processed lawfully, transparently, and for a specific purpose,” according to IT Pro. Once the purpose of collecting that information is completed and is no longer required, it should be deleted promptly.
Who does it affect?
- Some, but not all, companies are and will be scrambling to comply with these regulations. Some of them are already in compliance.
- Parties are far more liable for non-compliance under these new regulations than they ever have been before.
- Consumers must be able to consent to the use of their data explicitly.
- It affects companies both in and outside of Europe. As long as you are processing European citizens’ data, you’re liable.
According to IT Pro: “ ‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is a party doing the actual processing of the data. So the controller could be any organization, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.”
How does consent work?
- Businesses are forced to make their models such that users are able and required to give affirmative, explicit consent to their data being used whereas currently, most of the time only passive consent is required. Controllers will have to keep a record of this consent, when and how it was given. Consumers will be able to withdraw their consent at any point.
- Companies must get parental consent when dealing with the data of children under 16.
- If companies’ current models do not fit with these requirements, they will have to adjust their systems or else face hefty fines.
How will it affect Network Operators?
GDPR will introduce a more granular and accountable approach to safeguard and protect personal data:
- It is highly concentrated on the practical assurance of personal data protection, requiring to have adequate administrative and technical controls in place to continuously measure risks.
- It dictates stronger enforcement of the requirements and rules, which, if not complied with, may result in fines up to 4% of corporate global annual turnover.
- It widens rights of data subjects and enforces adequate mechanisms to be in place to provide administrative and technical measures to support these rights. They include a right to request and acquire, right to be aware of data breaches, a right to be forgotten.
- It will force data protection and accountability measures to be implemented into the process and systems by design. Otherwise, most companies will struggle to comply with GDPR requirements.
Together with the benefits this regulation will bring into the global market, it also will introduce some initial challenges and risks of non-compliance for companies while collecting, processing and storing personal data.
What benefits GDPR will bring into overall cybersecurity hygiene?
There is no question this regulation will introduce some challenges to less prepared and not very cyber-mature companies. Especially if they didn’t invest time and effort into overall IT security hygiene and didn’t have a plan for annual audit checks concerning privacy, regulatory and other compliance areas.
On the other hand, GDPR will be the driving force which, hopefully, will force global community and world-wide companies to take this topic seriously: implement proper controls, asset management policies and risk-based approach into their daily operations.
We should see positive impact and benefits such as:
- Removing silos between IT, Security, Business and Legal teams within the company. GDPR will be the key driver to enforce better cooperation across key units which will need to address privacy and security concerns at the same table.
- A new role of Chief Privacy Officer (CPO) at a senior or even executive level will need to be established to have end-to-end ownership of all the controls and procedures required to introduce transparency going through these uncertain and challenging times for every company. CPO will be a crucial asset and the one to sit at the board meetings to spread proper situational awareness and drive decisions to address all regulatory and privacy concerns with the legal counsel and the board.
- Effective and granular asset management practices. To ensure the implementation of the regulation, companies will need to make sure that not only physical assets but also types of collected and stored information are being accounted and tracked throughout the whole lifecycle. It will enable a more comprehensive administrative, technical and security controls and strengthen cyber resilience and visibility across cyber operation teams. This will mature organizations ability to protect from a variety of cyber attack incorporating risk-based approach and proper resource management.