The Age of the Right to be Forgotten
The European Union’s (EU) new data ruling, General Data Protection Regulation (GDPR), that went into effect May 25, 2018, brought with it key changes to the way that data is handled for any citizen living inside the EU. The new data laws replace the previous EU Data Protection Directive that was implemented in 1995. GDPR’s adoption means the EU now has the world’s strongest data protection laws.
“Houston, We Have a Data Breach”
There have been a number of massive data breaches in recent years that have helped drive the conversation of security and data. Data breaches can leave personal and sensitive information exposed and ready for the taking. Two big ones to note are the Equifax breach and the Facebook breach.
Equifax is one of the nation’s biggest reporting agencies; consequently, collecting numerous amounts of data by the minute. Their breach was discovered on July 29, 2017 but didn’t make public news until almost a month and a half later on September 7. The breach affected 146 million customers and of those, more than 99 percent had social security numbers exposed. Other information that was exposed included: 200,000 credit card numbers along with their expiration dates, thousands of passports, and driver’s licenses.
Facebook’s breach was one of a different variety and began heavily in the wake of the 2016 election. Through Facebook, a company by the name of Cambridge Analytica, a political consulting firm that backed President Trump in his 2016 election campaign, was able to gather data from 50 million users (a number that now could be as high as 87 million). The company designed a Facebook-linked app called ‘thisisyourdigitallife’ where users could get paid in exchange for a detailed personality test used, supposedly, for academic research purposes. The data was actually used to develop a software program that profiled citizens to predict voting patterns and influence U.S. voting decisions through micro-targeted advertising. Unfortunately, the app also pulled data from the friend lists of the test takers’ linked profiles without consent.
Changes GDPR Brings to How Data is Handled
The new regulations are centered around allowing citizens more control over the data that businesses and organizations collect on them. GDPR covers personal data, the information that is used to identify a person (i.e. name, address, or IP address); and sensitive data (i.e. medical information, sexual orientation, and political/religious views); as well as what was covered under the ‘95 Protection Directive. These changes will put more accountability into the hands of the businesses and organizations that collect data.
The Information Commissioner’s Office will be responsible for enforcing GDPR and any ramifications that come from breaking said laws. Under GDPR, citizens now have the right to opt-out of businesses collecting data from them. For example, a browsing site may ask that you opt-in to cookie usage before continuing the use of their site. The data law changes also allow a person to request the data that companies are collecting, for free, by completing a Subject Access Request (SAR). After completion, all businesses and organizations have one month to locate and distribute that person’s data information.
Businesses and organizations, which act as data controllers, have a number of other new rules to follow and keep in mind under GDPR. Companies employing more than 250 employees must hire a Data Protection Officer. Information that doesn’t need to be accessed shouldn’t have the ability to be—data must be deliberate and restricted. It is important to note that these laws apply to outsourced data as well as on-premises data centers. Since GDPR only allows certain countries to be the housing centers for data, physical locations of data centers are important as well. Companies using cloud service providers (data processors) to house their data should also require cloud providers to ensure they are notifying the organization of any security threats as quickly as possible. They should also make sure their data processors are contractually obligated to assume responsibility for the safety and security of the stored data that they hold for a company. If a company destroys, loses, alters, or has an unauthorized disclosure/access to data, they need to report said instance within 72 hours of its occurrence. Again, this is about making businesses more accountable.
Many cloud service providers have already paved the way for GDPR compliance. Amazon’s AWS provides 500+ features and services directly focused on security and compliance. Microsoft’s Azure has been preparing for the GDPR switch for over a year. Microsoft states their extensive experience in developing cloud solutions with built-in security makes them a leading voice on solving GDPR challenges in the cloud. Google Cloud has also stated its commitment to compliance across all cloud services by providing “robust privacy and security protections built into our services and contracts.” Those companies already utilizing cloud services with benefits such as these, have a leg up compared to those starting their compliance journey from scratch.
Breaking Down the Cost of Compliance
The cost of complying with GDPR is high priority for businesses looking to partner and work within the EU. Although GDPR rules only apply to companies with ties to the EU currently, it is important for businesses looking to break into the European marketplace to secure footing as to not get barred from doing business in the EU.
Compliance costs stem from a variety of arenas. A survey conducted by Paul Hastings LLP, a global law firm, found that Fortune 500 companies were budgeting upwards of $1 million for technology alone. Companies are also budgeting for new hires to manage regulatory issues that may present themselves. The survey revealed that in the U.S., 34 percent of FTSE counterparts have set aside $501,000 – $1 million. Many are revamping budgets to include third-party legal help to help with GDPR compliancy issues; however, 22 percent of firms in the US had not prepared budgets at the time of the survey. Although the cost of compliance with GDPR may have a huge price tag attached to it, it is nothing in comparison to the cost of non-compliance. The most serious consequences can lead to fines of up to 20 million Euros or 4 percent of a company’s global turnover—whichever is greater.
Even though GDPR brings with it heaps of new rules and regulations, there are still numerous benefits that the companies themselves will gain out of the new procedures. GDPR will help businesses better understand their customers, cleaning and mapping data will increase data visibility across the organization; brand reputation protection, achieved through pre-breach data privacy practices; and cyber insurance and civil action savings, a likely significant reduction in annual costs directed at these two fields. The most important thing is that GDPR will limit a data breach from happening in the first place—something all businesses should get behind.