Businesses worldwide will soon have to lift their standards when it comes to protecting consumer data, as one of the biggest regulatory changes in recent times comes into play.
The General Data Protection Regulation (GDPR) was approved by the EU Parliament in 2016, and will be enforced as of 25 May 2018.
The changes mean companies must now inform users if their data is being processed and notify affected individuals in the case of a data breach within 72 hours, or face severe fines.
Additionally, the conditions for data consent have been strengthened, meaning companies must request for consent in an “intelligible and easily accessible form”, rather than longwinded fine print.
Executive Vice President of Network Defence at Trend Micro, Steve Quane, explained that although GDPR is being enforced by the EU, the ramifications will have global reach.
“GDPR is not applicable because of country boundaries, it is applicable because of a person’s data,” he told Information Age.
“If those EU citizens are outside the EU and/or a company outside the EU wants to conduct business inside the EU, they have to comply.”
He gave the example of a casino operating in Macau, China, with a considerable number of patrons from the EU.
Although none of its business is conducted within the EU, the casino collects credit card data and email addresses of its customers, some of whom are EU citizens, therefore making it subject to GDPR regulation.
Large companies that have a division in a EU nation will also have to comply.
“I believe that any organisation of any size, scope, or scale is affected by GDPR; not just those organisations inside of Europe,” said Quane.
The changes come as Australia’s new data breach laws take full-effect.
Size doesn’t matter
Officially, GDPR will only apply to companies with over 250 employees.
However, Quane explained that smaller companies that are trying to sell their product or service to one of these larger companies must also be GDPR compliant.
“Every company needs to realise that they are liable depending on what they do with customer data, rather than what type of organisation they are,” he said.
“A key concern is that organisations will take the attitude of ‘we’re only a 100-person organisation so we don’t have to worry about GDPR.’
“But they are probably providing services to larger organisations who are liable and/or collecting personal data.”
There is also an exception for companies with less than 250 employees but the “data processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences,” (Article 30).
These companies are also subject to GDPR.
Comply… or else
To comply with the new regulations, the main changes companies will have to make will be around how they document customer data.
“There is a need for companies to be very specific about what type of data they have and double-check this,” said Quane.
“A lot of organisations have assumptions about their data, which makes them think that they are prepared for GDPR.
“But there are more onerous requirements than people expect.”
Quane explained that the category of personally identifiable data is much broader than many people think, and includes business email addresses and IP addresses.
Fail to meet these requirements?
You can expect to pay the price.
The penalty for non-compliance is either 4% of the company’s annual global turnover or €20 million – whichever sum is greater.
These penalties will be enforced by a special body inside the EU, that is backed by the government.
However, if countries outside the EU are subject to these requirements, how will they be fined for non-compliance?
The EU can’t actually make them pay these fines, but if they don’t, it won’t go unnoticed.
“If they are conducting business in Europe and are found to be negligent, if they don’t pay the fine then they will have to cease doing business in Europe,” warned Quane.
Bringing in experts
To meet these strict requirements, companies may look to bring onboard a Data Protection Officer or a Data Expert.
However, the fact that these roles requires skills in cyber security and data may lead to structural complications for a company.
“It is also interesting to consider where this person reports to in an organisation,” says Quane.
“If they report to the CFO, there may be conflict between the Data Protection Officer and the CSO.
“If they report to the CSO, they may not really understand the legalities behind GDPR because they are reporting in through IT.”
Additionally, like most positions within the ICT industry, and the fact demand has spiked so suddenly, organisations can expect to face a skills shortage when looking for Data Protection Officers and Data Experts.
Why the need?
Although the changes may seem dramatic, GDPR has been a long time coming.
Discussion within the EU of the need to better protect consumer data began in 2012, when it was identified that more had to be done to protect valuable consumer data.
After four years of back-and-forth, the regulations were officially created in April 2016, after all member states but Austria voted to adopt the changes.
Quane believes the new rules finally value the modern-day importance of data.
“Data breach regulations such as GDPR were created because personal data is important, as important, if not more, than money, safety, and security,” Quane said.
“The industry is very late in acknowledging that data needs to be protected better, and organisations need to disclose when they’ve lost someone’s personal data.”