What began in the mid-1990s with EU privacy initiatives such as the Data Protection Directive has evolved into a full-blown regulatory framework under the GDPR. Approved by the European Parliament on April 14, 2016, the new rules are directly binding, providing EU residents control over their personally identifiable information (PII) and how companies handle that information. PII is generally defined as a name, mailing or email address, and social security number but has expanded in scope over the years to include IP addresses, login IDs, web search history, geolocation, social media posts, digital photos and more.
As a data controller or processor there are several primary requirements you must meet:
● Provide clear and specific data management policies as to how you collect and use personal data
● Inform users of data security breaches within 72 hours
● Comply with requests for the complete removal of personal data from servers (the “right to be forgotten”) within 30 days
Additionally, GDPR requires you to appoint a Data Protection Officer to oversee compliance if you are 1) a public authority or 2) an organization whose core activities consist of either data process operations that require regular monitoring of data subjects on a large scale or large-scale categories of sensitive data.
Evaluating how GDPR will impact your business begins with answering some basic questions about your data:
While documenting data acquisition, storage and security may be the first step in compliance, GDPR raises many questions without clear answers. Given the global nature of data, businesses face real challenges when it comes to accurately identifying users protected under GDPR. Additionally, companies may need to adopt data masking strategies such as Pseudonymization to safeguard a user’s PII by making it less identifiable. Last, the regulation also presents major issues for smaller and medium sized companies who rely heavily on multiple SaaS (Software-as-a-Service) applications to run their businesses. The new rules will demand an evaluation and update of vendor agreements as a cross-departmental effort to ensure that Cloud Service Providers (CSPs) are also following GDPR requirements.
In the wake of recent scandals like Cambridge Analytica and others, the increase in data protection may sound like good news to individuals. However it’s pushing companies who have European users and operations into a panic. Beyond the costs and challenges of compliance, GDPR violations can incur penalties of 4% of a company’s global revenue (or 20 million euros, whichever is greater). Ernst & Young estimates that the world’s 500 biggest corporations will spend $7.8 billion on GDPR compliance. For small companies with limited resources, the new regulations could cost them their business. In response, some businesses are simply opting out of the EU marketplace altogether or using creative solutions like the GDPR Shield app to block EU users from accessing their websites.
Compounding the problem is a lack of clarity regarding the mechanics of compliance. “Right now clients are coming to us and asking if they are affected or not,” says Five Talent CTO Ryan Comingdeer. “We’re urging them to consult with their legal counsel first. Even when companies are following best practices for data protection, GDPR raises a lot of questions about how to identify users, how far you need to go to remove personal data, and what specific compliance measures you need to take.”
Strategic partners like Amazon Web Services (AWS) can make the pathway to GDPR compliance easier for companies struggling to identify next steps. With over 500 GDPR-ready tool sets for security and compliance, AWS partners and customers can leverage features and services for running workloads in the AWS Cloud including: encryption, monitoring and logging, access control, data privacy, security by design and internationally-recognized certifications and accreditations.
The scope of the regulation and clearer legal definitions will most likely be worked out in the courts over time, but that isn’t reassuring if you’re trying to be proactive with compliance. “We recommend communicating often and being transparent with users about your data privacy policies and your internal initiatives for GDPR compliance,” says Comingdeer. “Whether they live in Europe or not, your users should know why you’re collecting their data, what you’re doing with it, and how you’re going to keep their data safe.” In addition, he advises companies to:
● Get explicit, informed consent from users to collect personal data
● Update terms and conditions and user licensing agreements for GDPR
● Create a plan of action in the event of a data security breach
● Consider an opt-in that asks users to identify whether they are European users
Regardless of what compliance strategy you choose, you’ll need to invest time and resources into understanding how GDPR can affect you. The effort to adopt best practices for data protection will benefit you and your users in the end.