We live in a rapidly changing world. Constant breakthroughs in new technologies are occurring at a fantastical pace. This has led to many wonderful improvements in our society but has also come with unexpected conundrums. Advances in data collection methods have completely transformed our commercial sectors, by allowing the consumer to be studied and observed in real-time. As the consumer interacts with the product or service, data is collected. It is then sent to manufactures and marketing firms for research analysis. Data collection has also impacted our society on various social media platforms and created serious ethical dilemmas. Mass data collection can be a positive contributing factor to the improvement of many emerging technologies but must be applied ethically. Another factor to consider, is how the data is being stored and who can access it. Over time (and many data breaches later), it was decided a standardized set of rules for data collection and storage was needed. What evolved was the General Data Protection Regulation.
Who Created GDPR?
First, let us discuss who created the GDPR. Over the last two decades, the European Union has set the gold standard for data protection and privacy. Due to the increase in data breaches and privacy concerns, the EU decided to raise the bar even higher. On April 14, 2016, the General Data Protection Regulation was adopted and made law across the EU. The GDPR was a replacement for the previous Data Protection Directive from 1995. All member states were required to be compliant with GDPR by May 2018 or face financial repercussions.
What is GDPR?
Next, let’s examine what the GDPR is. The GDPR reaffirms many existing data privacy rights and creates new ones. It’s three main objectives are to, standardized data privacy laws across Europe, provide protection to EU citizens data, and change the dynamic of how organizations approach data privacy/collection. It is important to remember, the GDPR not only applies to businesses located within the EU. It also applies to organization outside the EU if they sell goods or services to Europe or collect data on any EU citizen. This has caused many issues in the North American commercial sectors, due to a lack of collection/privacy standards and understanding. Many U.S. business are operating in a precarious manner, risking heavy fines and even getting “blacklisted” from doing business with any EU member state. Businesses can potentially be fined up to 4% of their annual global turnover for not complying with GDPR or 20 million euros. Although, some may be justified to argue the GDPR is written to be purposely convoluted, making understanding difficult; thus, allowing fines to be applied more frequently. It is without doubt the GDPR is a comprehensive document, requiring great attention to detail.
How to Manage GDPR for Your Organization
Finally, I will offer some insight on how to manage GDPR for your organization. First, every operation should have a Chief Information Officer (CIO). This is more of a requirement than a suggestion. It is important this person is qualified for this role. Second, the CIO is required to perform a privacy impact assessment (PIA) to demonstrate how personal identifiable information (PII) is being collected, used, and accessed by the organization. Third, all data needs to be properly inventoried, regardless of platform (even cloud-based). It is important to remember, a risk-based approach is needed for data protection. This can be accomplished through, encryption, deletion, or redaction of data in relation to its classification. Fourth, is having contingencies in place to issue data breach notifications to customers within at least 72 hours of the breach. The final insight I will offer is, make sure to create a strong Data Governance Policy (DGP). The purpose of having a Data Governance Policy, is to address the data governance model, which includes how data should be accessed, used, and stored. The DGP should have the following objectives: Defined roles and responsibilities for the management of data, improving ease of access, ensuring that once the data is located, users have enough information to interpret the data correctly, improve the security of the data with strong encryption methods, including confidentiality and protection from loss, improve the integrity of the data, and creating greater accuracy for timelines. Organizations that are not in compliance with GDPR risk losing their credibility and trust from their EU customers at the very least. It is important to read the GDPR carefully and with diligence. In my next article I will discuss PCI compliance and its impact on global commerce.