GDPR – The Next Global Privacy Paradigm?
It was only a matter of time before digital security began to assume a much larger role in the geopolitical stage. The explosion of SaaS apps and social media - and their inherent exchange of free services for your data - has lead to unintended consequences from bad actors in the public digital square.
Some regulations have always been in place. However, as of May 25, 2018, with the enforcement of the General Data Protection Regulation (GDPR), digital privacy concerns have reached an entirely new level.
IGNORE AT YOUR PERIL: SCOPE AND PENALTIES
A quick read of the Scope and Penalties sections of the GDPR document should be enough to jolt even the most jaded executive from any position of indifference.
Check out these highlights :
- GDPR jurisdiction applies to all companies processing personal data of subjects residing in the Union, regardless of the company’s location.
- The penalty for breach is the greater of 4% of annual global turnover or €20 Million.
- Fines can be imposed for infringements such as not having sufficient customer consent to process data or violating Privacy by Design concepts.
- Rules apply to both controllers and processors -- meaning 'clouds' will not be exempt.
However, the numbers and reach are only window dressing if we consider the larger consequences of the 99 article-long GDPR document.
PRIVACY RIGHTS ARE NOW HUMAN RIGHTS
The ambition of the new EU law aims to enshrine privacy rights as human rights (Article 8 (1)). Never before has privacy been so elevated in the Charter of Fundamental Rights of the European Union. This new initiative means to establish a blueprint for how privacy will be handled for the balance of this century. It’s so revolutionary that regulators and Silicon Valley are both playing catch up. We need only witness Mark Zuckerberg defending himself on Capitol Hill to realize that even the innovators have found themselves behind the 8-ball on these issues.
HOW IT AFFECTS YOUR BUSINESS
In the past, cybersecurity might have been considered a nuisance at worst and a necessary evil at best. But now, no firm wants to commit a human rights violation. So digital security strategy must find a place among top business concerns.
So how does this change your business?
On the practical side, regulations such as GDPR will require companies to begin documenting processes and create a system of record. New laws will also demand a higher level of circumspection and evaluation about how companies operate in addition to the subsequent documentation of rationale. These shifts will push companies to train their staff with principles like Privacy by Design and Privacy by Default (Art. 25) and require transparency between controllers and processors in how data is handled.
These aren’t simplistic security patches to thwart a hacker. These demands squarely challenge operational and strategic business decisions. Even beyond the possibility of fines, entities will also be looking to pair with others that have adopted the correct posture in response to regulations. As time goes on, fewer companies will want to expose themselves due to the company they keep.
SOLUTIONS WILL COME FROM THE SECURITY SECTOR
The most robust solutions will come from the security sector as they’ve been gearing up for GDPR since it was announced. Security and privacy firms that deliver solid solutions, but that also firmly grasp business models, are in the best position to serve - and benefit from - the sea of change being created with new regulations such as GDPR.
Some factors that will differentiate the competition are:
- Proper alignment of corporate policies with industry standards.
- Access to key assessment tools, such as PIAs, to adequately document data process handling using a risk-based approach.
- Ability to map IT compliance requirements - from upstream trading partners down to in-house policies.