The General Data Protection Regulation (GDPR) is a regulation brought by the European Parliament, the Council of the European Union and the European Commission in order to protect the personal data and privacy of EU citizens as well as regulate the export of personal data outside the EU.
The GDPR was proposed back in January 2012 as a replacement of the outdated data protection directive from 1995 and was later adopted by both the Council of the European Union (EU) and the European Parliament, back in April 2016. The GDPR should apply from 25th of May 2018.
According to details, the GDPR will affect any company that stores or processes personal information of EU citizens within EU states, even if they are not located in any of EU states.
Being consistent across all twenty-eight EU member states, this will allow companies to adhere a single standard in the EU. As it will apply to all EU member states, each member state will establish an independent Supervisory Authority (SA), that will record and investigate complaints as well as sanction administrative offenses and so on.
Although aiming at European Union countries, the GDPR will also have a big impact on other companies in the world that offer goods and/or services in Europe, or monitor the behavior of EU data subjects.
This means that companies that collect data on citizens in European Union countries will need to comply with this set of rather strict rules that will further protect customer data.
According to the GDPR, personal data is any information related to a natural person or “data subject”, that can be used to directly or indirectly identify a person. The GDPR pretty much puts a name, address, email address, photos, posts on networking and social websites in the same box as the bank details, medical information and a computer IP address.
The General Data Protection Regulation (GDPR) defines several identities that will be responsible for compliance with the new regulation, including the data controller, data processor, and the data protection officer (DPO).
The data controller is the entity that determines the means, conditions, and purposes of the processing of personal data. The data processor, on the other hand, is described as an entity which processes personal data on behalf of the controller, for example, a cloud service provider.
The data protection officer (DPO) is a special authority that needs to be appointed in the case of organizations that engage in the large-scale processing of sensitive personal data, in the large-scale systematic monitoring or in case of public authorities, where some entities may be an exception.
What makes the GDRP unique is its regulation regarding data breaches, as each data breach, which may pose a risk to individuals must be reported to the Data Protection Authority (DPA) within 72 hours and to affected individuals without any delay.
While there are plenty of defined responsibilities and accountability details in the regulation, as well as consent details, it is the first regulation that also directly focuses on personal data of children, under the age of 16, for online services. It also gives data subjects both the right to erasure and right to data portability, allowing them to request erasure of any personal data as well as request transfer of their personal data from one system to another.
As the GDPR is a regulation, rather than a directive, it is both a binding legislative act and will be forced in May 2018.
The GDPR also defines strict fines for non-compliance which are set at up to 4 percent of annual global turnover or €20 million, whichever is higher.
Plenty of companies have already started to offer solutions that will allow businesses to become GDPR-compliant, which, according to some, include a combination of changes to both the technology and process, as well as needs an enterprise-wide privacy assessment. Plenty of such companies are employing machine data learning to give a better insight into data and offer both the security as well as allow a quick detection of security breaches.
While we are just less than six months away from the GDPR coming into effect, various surveys and reports suggest that businesses are either confused and/or unprepared for the GDPR.
According to Gartner’s predictions, more than 50 percent of companies affected by the GDPR will not be in full compliance with the requirements by the end of 2018. According to a survey done by WatchGuard Technologies, 37 percent of companies did not even know if they need to comply with the GDPR, even if 14 percent of those companies did collect data from EU citizens.
To make things worse, some of the US-based companies are re-evaluating their presence in Europe, with 32 percent planning to reduce their presence in Europe and 26 percent intend to exit the EU market altogether.
While it might sound grim for some companies, the GDPR will bring a lot more protection for personal data.
According to some reports, even the recent data breach from Uber, where the company concealed a hack that affected personal data of over 57 million of customers and drivers, would be sanctioned under the GDPR. Even if the hack happened in North America, it would still be sanctioned if it contained any EU citizen’s data.
There are plenty of resources regarding the General Data Protection Regulation (GDPR), including the full text of the regulation, which offer a decent guide to the GDPR.
- IDC’s Five Steps to GDPR – https://cloud.kapostcontent.net/pub/7bf8f985-a7c1-42f6-a89a-0e7a459fd435/idc-five-essential-steps-for-gdpr-compliance.pdf?kui=UZihyC4LrKkqtFHnKE7PqA
- Microsoft‘s GDPR Resources – https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
- Gartner’s Five Point Guide to GDPR –https://www.gartner.com/newsroom/id/3701117
- SAS’s “Working toward GDPR compliance e-book – https://www.sas.com/en_ca/whitepapers/gdpr-compliance-109048.html
- ICO’s Guide to the General Data Protection Regulation (GDPR) – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr