Historically, privacy concerns have been a lower priority than convenience and wealth. But over the years, people, organizations and governments have come to realize the negative impact a breach of private information can have consumers. As a result, we have seen an increasing number of privacy laws passed by governments across the globe over time.
The European Union (EU) General Data Protection Regulation (GDPR) is the latest privacy-based regulation, and its effective date is quickly approaching. Organizations worldwide must be ready to comply with many stringent requirements starting May 25, 2018. It will impact organizations across the globe that handle personal data for EU residents.
Even before its application date, the GDPR has had a major impact by putting forth substantive updates and new requirements. Organizations around the world are grappling with the issue of how to ensure compliance and still maintain solid business processes.
A few of the provisions include:
- Article 15, which grants EU residents the “right of access” and requires companies to detail what personal data is processed and how it is processed upon request;
- Article 17, arguably one of the toughest new requirements, granting the right to be “forgotten” and data erasure — which require companies to stop processing and delete personal data upon request, respectively;
- Article 20, which will confer the right to enable transfer of personal data between companies upon request;
- Article 35, which will require companies to perform data protection impact assessments to identify risks to EU residents’ data.
The good news for consumers is that GDPR is serving as the impetus for companies to put consumer data protection top-of-mind. In fact, according to PwC’s GDPR Preparedness Pulse Survey, 77 percent of companies surveyed are planning to spend over $1 million preparing for GDPR.
Bottom line, U.S. companies that conduct business overseas also have to comply with GDPR or face the same fines as EU businesses (higher level fines are four percent of annual global turnover or €20 million). For example, take the recent Hilton breach: In October 2017, the NY attorney general slapped a $700,000 fine on Hilton for two data breaches affecting 350,000 customers. Under GDPR, Hilton, which conducts a huge part of its business in the EU, may have faced a $420 million fine based on last year’s revenue numbers.
The U.S. privacy laws have defined personal data similarly to GDPR except for the inclusion of online identifiers. Under GDPR, online data such as an IP address or cookie information is now personal data requiring protection in the case of EU resident data. This has a major impact on companies like Facebook, Twitter, LinkedIn, and many more, doing business in the EU that closely handle users’ personal data. It is likely that similar regulations will make their way to the U.S. at some point, but the question of when and the extent to which this same level of privacy will be adopted for American consumers remains to be seen.
So far, Congress has not been able to pass consumer data protection legislation as comprehensive as the EU, which is why we have 48 states enacting their own security breach legislations to protect personal data. It is quite possible that GDPR may bring change to the U.S. and open the door for the enactment of similar regulations affecting all 50 states. Given the current trend to lessen privacy controls under the current administration (such as a controversial measure repealing online privacy protections established by the Federal Communications Commission), it will be a few years before any new privacy-based legislation is even proposed.
With GDPR just around the corner, it is critical that organizations do not delay or ignore compliance as it could have costly repercussions. In the effort to protect consumer data, organizations will face many obligations under GDPR, but many can be resolved quickly and easily. As with any new compliance mandate, large organizations could face significant budgetary, IT, personnel, governance and communications implications.
Obtaining senior management buy-in early in the process is critical. Businesses will need to start conducting complete data mapping exercises to know what, where and how personal data is processed as this will pave the way to compliance.
Fouad Khalil is the head of compliance at SecurityScorecard.