With or without Britain, the European Union is about to implement broad-based data privacy and security business standards across all 28-member countries. The new standards, passed in April 2016, replace outdated 1995 standards. They will take effect on May 25, 2018, which is coming sooner than you think. (Britain said that it will implement the standards “as long as it remains in the EU).
These regulations apply to any company that has any data on any party that resides in the EU—not just to EU corporations. Even if you don’t have a European office, you probably have some data somewhere that will force your compliance to these rules.
The new rules, called the General Data Protection Regulation (GDPR), are trying to force any business that wants a presence within the EU to guarantee that all user/ customer data and privacy is protected in all transactions within the EU.
Penalties are extremely harsh. Non-compliance can bring both private and public repercussions, but the big one is that fines can be up to five percent of global revenue.
This is a major change in privacy rules. Several recent surveys of corporate tech departments found that two-thirds of them thought that they would have to change their European strategies to accommodate these standards. Over half of them figured to be fined for non-compliance, a third thought they could incur reputational damage for non-compliance, and most expect to incur costs for bringing their businesses up to the new standards.
What is a company to do?
Answer these questions and look at these things:
- What entities are responsible for compliance? All of them—companies that create the data, companies that transmit the data, companies that process the data, companies that review the data, and companies that store the data, including cloud storage companies. All third-party contracts need to be reviewed and updated for compliance with GDPR
- Next, who in the corporation is responsible for compliance? CEO? CIO? CISO? CDO? We will just call this here and say that all of them are. That way, the buck doesn’t get passed and the company doesn’t fall short.
Also bring legal into this. Violators of the regulations can be sued for damages.
The new regs constrict the data that can be transferred outside of the EU. A company has to show compliance before it can transfer data from, say, France to the US.
Any user (anyone whose data is stored or transmitted) has the right to see what information about that individual exists, and the company will have 20 days to provide that. No hiding (this means you—Uber data breach that was hidden for a year).
Users can also demand that their data be erased. Completely. From every database and spreadsheet. This will probably require new protocols.
Corporations will need to generate and transmit reminders to users that the corporation has a user’s data and what the company is doing with it, and be able to prove compliance with this requirement.
This is a lot, and it really requires a company that qualifies under the new regs to take its privacy game to another level.
Kimmell Cybersecurity has the knowledge, understanding and skills to update and upgrade any company to meet these new standards. Call us.