We previously wrote a list of cybersecurity predictions for 2018 that included an increase in IT regulations. We cited one such emerging provision as a sign of a beginning trend, the General Data Protection Regulation (GDPR). If you did not read further on the subject before, and if you do any sort of business online that involves anyone who has resided in Europe, then you will want to keep reading here.
The GDPR emerged from the Data Protection Directive 95/46/EC ratified by the European Union’s governing bodies in 1995, which itself came from legislation pushed forward in the early 1980’s. The idea behind this group of laws is to protect the personal data of European citizens while still allowing it to flow freely.
U.S. companies that may be affected by this law should note that “personal data” is generally defined more stringently in the EU, and covers virtually all digital information that can be used to determine the identity of the person the data originally belonged to. This also includes not only basic entries such as names, addresses and phone numbers, but also additional identifiers such as race, gender preference, and health data.
Tracking cookies and IP addresses are also considered personal data under EU law, the former if the information they collect can be used to identify the user. Under GDPR, this data must be consented to be given freely, at which it becomes the responsibility of the company who collects it. One of the stipulations of this regulation is that if they or someone else uses this information in a manner that invades the privacy of the individual it belongs to or was not utilized in a previously agreed-upon manner, then the collector of that data becomes legally liable for the consequences.
The comprehensive nature of this regulation means that even something as simple as a survey that reaches someone living in the Eurozone might make your company liable for any personal information you collect from the respondent. If found that you displayed intent to specifically market to EU citizens and/or to utilize any data collected, you will most likely be subject to the GDPR’s requirements. Similarly, any money exchanged through the Web (and the corresponding financial information that facilitates that) for ecommerce purposes and employees based in the EU will also stipulate compliance with the GDPR.
The GDPR is very detailed legislation, so it might take some lengthy additional research into each article and a conversation with legal counsel before you can determine precisely which provisions apply to you. However, it may be prudent to take steps to meet these requirements regardless. As we indicated in our predictions for 2018, this type of policy will likely develop into the new standard gradually.
Facebook has already preemptively transformed its data mining procedures ahead of the May 25 deadline for compliance implementation of the GDPR to avoid the type of scrutiny (and fines) it has faced in the past for breaches of privacy. Though the U.S. has traditionally been relatively less strict about data protection on the legislative level than Europe, this mindsight will probably shift as the incidents that prompted the creation of the GDPR become more commonplace.
Despite this, recent studies indicate that many American businesses may not be prepared for or are unaware of what this type of regulation actually entails. Some surveys revealed several worrying trends, including widespread ignorance among quite a few employees of the nature of GDPR provisions and even what actually constitutes sensitive data, as well as the severity of the fines for failure to comply. Noncompliance can cost businesses up to 20 million euros (approximately 25 million USD) or up to 4 percent of their annual global revenue.
A primary obligation for compliance with the GDPR and similar regulations is the demonstration of the ability to consistently protect any and all personal data collected. This means that cybersecurity must become a greater focus for any business that digitally records the information of their customers. This can be problematic for SMBs that cannot afford to keep a dedicated IT department year-round, yet going by the current trend in U.S.-based data regulations, allowances are made for outsourcing cyber protection. Third party MSPs can conduct the required testing of your network security and maintain backups of your data while keeping costs manageable.
Contact us to find out how we may be able to help you keep your data secure and ensure you follow the best practices in network protection.