On April 27th, the European Commission signed into law the General Data Protection Regulation (GDPR – Regulation 2016/679 and 2016/680) that will serve to unify 28 (now 27 with the Brexit, perhaps) different privacy laws into one unified regulation applicable to all. The regulations, which are set to go into effect in May of 2018, will require widespread standardization and unification of data privacy requirements across EU member states.
Why should the US and other non-EU citizens or companies pay close attention to the further development in policy and standards taking place in Europe? Because it is clear that not only the business world of the European Union stands to be impacted, but all organizations, directly and indirectly, marketing to and processing information of EU data subjects, which includes most cloud-companies and a vast number of large enterprises.
GDPR will trigger much stricter guidelines and regulations for fundamental issues such as individual profiling, consent for data collection, and comprehensive definitions of data. Another notable change is that all breach notifications will be strictly required to be reported within 72 hours from the time of initial discovery. Not many countries currently have such regulations revolving around breach reporting. Although in the US, rapid reporting of cyber incidents to the DOD, in the exact same timeframe of 72 hours, is in fact already required by DFARS – Defense Federal Acquisition Regulation Supplement, which provides specific regulations for DOD government acquisition officials and all contractors doing business with the DOD.
In short, a greater significance will have to be placed on understanding exactly where all data is located, how and where it flows, where it resides, with whom it is shared, and what consents are or are not given and when it (data) must be purged.
There is a number of transitional questions that will need to be answered in the next two years. What is the depth of impact to businesses and organizations worldwide? What unforeseen consequences will come to the IT world in general?
Organizations will have to pay close attention and stay connected to learn about the progression of the GDPR, as well as all other related data protection initiatives. It will be essential to understand the types of data protection (such as encryption) required by GDPR and to have a solid grasp on the types of platforms on which customer data is processed.
So, will the existing security solutions prove sufficient in the light of the new standards and regulations? What will the new breach notification requirements mean to the affected businesses? How will all personal data be properly classified in a way that enables secure access across all major platforms? One important thing to keep in mind as we ponder these questions is that GDPR is not just for Europe! It is, at the very least, for any and all organizations that process, collect, and use personal data relating to EU subjects. There will clearly have to be a significant amount of work performed in order to meet all the technical issues and challenges as we move closer and closer to GDPR’s full implementation. Undoubtedly, there will be a great need for trusted partners to help provide on-site support with specialized knowledge, data mapping, and classification to help deploy the right types of solutions and protection.