D-Day is coming to Europe next spring, and no, we’re not talking about World War II. For us in the here and now, the “D” in D-Day stands for Data. In May 2018, new data protection regulations will take effect in the EU, and the impact on businesses and consumers will be enormous.
The European Union General Data Protection Regulations (GDPR) have not been updated since 1995. Twenty years is a lifetime in the world of technology. So much has changed. Most of our lives are intertwined with technology now, and our digital alter-ego (data profiles of who we are and what we do) is living somewhere in the cloud, traveling the earth in milliseconds. Amid the looming chaos of privacy exploitation and hacking, consumers are justifiably concerned and doubtful. Does privacy even exist anymore? Is anything secure? People want their privacy protected. They want to trust that their data is secure, but at the same time they want the convenience of personalized consumption and instant access. It’s a tough balance to strike.
Fundamentally, the goals of GDPR are to reassert individual privacy rights, foster a more robust EU internal market, strengthen law enforcement, streamline international transfers of personal data, and unify global data protection standards. The new data protection regulations will consist of a two-part implementation. The first part is the General Data Protection Regulation itself, the new rules. The second part involves the enforcement arm, a Data Protection Directive for police and criminal justice entities.
According to public information released by the European Commission, we are going to see some interesting outcomes from GDPR.
Privacy rights make a comeback. The privacy regulation aims to improve individual’s rights to virtually “be forgotten” When they don’t want their data held anymore, it must be deleted (with exceptions: data may be retained for contractual or legal compliance reasons until no longer needed). Individuals’ access to their personal data will be easier to obtain. They will have a right to port their data between different providers and the right to be notified when their data has been breached. In addition, companies must inform the authorities which accounts were hacked in a timely fashion.
European Commission says “Data protection by design and default” will become the norm. Products and services must be safeguarded via built-in data protection. Privacy will become the primary focus and could lead to new business innovations. This includes new techniques for data encryption, removing personal data identification from data sets, and replacing PII fields in data records with artificial identifiers. All of these could restore trust between individuals and companies holding their data by limiting exposure.
Costs. Yes, it will require investment to upgrade apps and services, but the tangible and intangible payoffs of compliance with the new regulations are real. According to estimates, Europeans’ personal data value could be worth upwards of €1 trillion by 2020. With stronger data protection regulations in place, opportunities will grow.
Streamlined regulations. There are currently 28 separate laws on data protection that are incoherent and unwieldly. The plan is to have these 28 individual laws consolidated into one. Estimated savings for companies and organizations could be as much as €2.3 billion per year. After the new data protection regulations take effect, companies will deal with one single supervisory authority only, making it easier to do business in the EU. This will level the playing field by applying the same rules for all companies – regardless of size or location. Companies outside of Europe must follow the same rules when doing business in the EU.
Negative reinforcement: Be prepared or pay up! The EU is expecting merchants to be more responsible for protecting customer data. Those who experience data breaches will face severe sanctions. Beginning May 25, 2018, the EU will impose heavy fines levied as a percentage of revenue on companies violating the GDPR rules. Smaller companies doing business in the EU may be unaware how soon these regulations are coming online. Liability is an obvious concern, so active steps to achieve compliance must be taken. Products and infrastructure must be reviewed and updated. A sustainable cyber security program must be in place. The cost of compliance must be accounted for, and the ROI should initially be measured against the preparedness and protection from fines and liability. In the long term, as mentioned above, the new regulations could result in a more level playing field and increased business opportunities.
Organizations should act now:
- Review and analyze the GDPR. Seek advice. Leave nothing to chance. Learn the precise meaning of “personal data”.
- Update your documentation for personal information and security practices. Update policies and procedures for breaches, incident reports and risk assessments. Review all relevant contract and agreement language
- Figure out how to best mitigate risks of noncompliance.
For more information about the European Union General Data Protection Regulations (GDPR) check out this European Commission website, with press releases, questions and answers, factsheets, legislative texts, the current legal framework, and public opinion surveys.