We now have less than a year left until the new EU General Data Protection Regulation (GDPR for short) comes into effect – and companies are rushing to prepare during this transition period. The GDPR, which will radically transform the landscape of data protection legislation and privacy as a right in Europe was adopted in April 2017, but won’t officially come into effect until May 2018. This intends to give affected entities the time to adequately prepare.
New Regulation, New Rules
One of the reasons behind introducing the GDPR was the continuous evolution in fields that require handling of personal data; it was generally recognised that developments such as social media, mobile apps, big data, and the cloud were not sufficiently addressed under the previous EU Directive. As technology advances, cybersecurity and privacy concerns become more elaborate and demanding. The GDPR is meant as a comprehensive answer that imposes further requirements and safeguards on private entities collecting, storing and processing personal data, thus commanding higher security levels.
For instance, under GDPR Article 25, two main security principles are laid out: data privacy by design and data privacy by default. Data privacy by design ensures that appropriate organizational and technical measures (such as pseudonymization and data minimization) that aim at protecting personal data are ingrained into the complete lifecycle of a company’s products and services. Data privacy by default limits the amount and type of personal data collected and processed to the absolutely necessary, while it also restricts access to it only to a specific number of people. Implementing these principles will tremendously change how we approach cybersecurity: for example, it will force companies to develop their primary cybersecurity approach as a proactive one, focused on the design phase and default options instead of asking users to opt-in.
GDPR Will Affect US Companies
It is widely known that the EU has been taking privacy very seriously – too seriously, according to some. The level of data protection accorded under EU law has been slightly higher and more rigid than US companies are accustomed to on their own turf. For example, even the definition of personal data is narrower under US law. But now US players must get used to the new regime and upgrade their cybersecurity strategy, because the GDPR will actually also apply to US companies providing goods and services, or generally monitoring the personal information of, individuals who find themselves within EU borders.
You do not actually have to be playing in the too-big-to-fail league to trigger the GDPR and incur fines for non-compliance; last November, Germany launched a data protection-related investigation into 500 companies that were based in the US but operating in the country. The corporations under scrutiny fell across a wide spectrum of capacity and size, ranging from microbusinesses to larger organisations. According to a report published on SecurityWeek in early July, 75% of US businesses falsely believe that the GDPR will not affect them – even worse, one-third of respondents could not identify where their company stores collected personal data and less than 50% of companies have already laid out an incident response plan for data breaches.
The deadline is approaching quickly and US companies seem to have a lot of catching up to do – not only in order to adhere to GDPR standards, but also to fulfil the fundamental cybersecurity requirements that are reflected in the new EU laws.