Friday, May 18, 2018
On May 25, 2018, the European Union will instate the General Data Protection Regulation (GDPR) protections designed to help European citizens manage their digital destinies. The laws enable consumers to control how companies use, market and store their personal data. European consumers can exercise their “right to be forgotten” by asking companies to delete their personal information. Analysts expect the guidelines to impact any business that transacts with European citizens online, in their countries of origin and in their travels around the world.
Gary Glover, vice president of assessments at SecurityMetrics, said supervisory authorities (SAs) will enforce the GDPR and issue non-compliance fines. SA oversight will extend to companies that process European citizens’ personal data, including cloud-storage services, universities, hospitals and merchants outside the EU’s footprint. “Companies need to ask, ‘Do I have any data from any subject in the EU anywhere in my system?’” Glover stated.
Glover advised against thinking of GDPR as a set of requirements for an audit. “This process is inherently different from Payment Card Industry Data Security Standard (PCI DSS) compliance, which is prescriptive and security-centric,” he said. “GDPR requires companies to have more control around the management of personal information, with procedures in place to automatically or manually remove it when necessary.”
The EU took four years to develop the GDPR before it was approved by the EU parliament on April 14, 2016, Glover noted. The GDPR will apply to all EU member states on May 25, 2018. While it is unclear which types of companies will be targeted by SAs, Glover encouraged merchants and service providers to be aware of the GDP’s key requirements, which include the following:
Knowing their organization type and responsibilities will also help companies achieve compliance, Glover said. “Different rules apply to different business types,” he added. “Entities that process personal data as part of doing business are considered data controllers; companies that process the data on behalf of controllers are considered data processors.”
Glover expects the GDPR to remain a work in progress for the foreseeable future but encouraged companies to get started on the path toward compliance. “Begin by using advanced data mapping and filtering to find the data,” he said. “Then ask, ‘What is my reason for keeping and using this data?’ We’ll need a generation of lawyers to help us implement these guidelines.”
The GDPR replaces the Data Protection Directive (95/46/EC) of 1995, established before widescale data mining transformed the global marketplace. Legal analysts expect the new measures to target companies like Amazon Inc., Apple Inc., Google and Facebook – companies the EU has criticized for violating antitrust laws and failing to protect consumer privacy.
In June 2017, the EU fined Google 2.4 billion euros for dominating online search, claiming it deprived other companies from achieving market share. Analysts have said the case reflects inherent differences between American capitalism and European hegemony. In 2016, EU antitrust chief Margrethe Vestager demanded Apple repay $14.5 billion in back taxes to Ireland; Apple and Ireland intend to appeal the ruling. She has also questioned Facebook’s terms of service and Amazon’s tax records in Europe, experts noted.
Shelly Palmer, CEO of The Palmer Group, a strategic business and technology advisory firm, said companies deemed non-compliant with the GDPR can face fines of up to 4 percent of their annual worldwide revenues. “This is a staggeringly large penalty,” he stated. “A violation could cost Facebook, for instance, up to $1.6 billion. The number would be much greater for companies such as Google and Amazon.”
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.