Latest great guest post by Marc R Gagné MAPP Senior Privacy and Data Advocate, Cyber Intelligence and Director @ Gagne Legal. Image from pixabay here.
In a little over a year, the most dramatic changes in data protection law in 20 years will take effect. General Data Protection Regulation (or ‘GDPR’) represents the most sweeping and stringent set of data protect laws the world has ever seen.
GDPR hails from Europe. And it may not look like it right now, but the rest of the world will eventually rise to meet these standards with their own security and privacy mandates. Businesses who think otherwise are setting themselves up for failure.
If you have European customers, you have until May 25, 2018 to change your processes and policies and to get your people on board with GDPR.
Call it What You Will, but GDPR is the Way of the Future
Make no mistake: this is the way of the future. As such, GDPR should not feel radical to you. Nor should it be treated as an anomaly. Despite the birthing pains of Privacy Shield, combined with all the obstacles and problems it’s faced since it went into effect less than a year ago, stronger data protection is our new reality. Privacy Shield may only be voluntary, but GDPR is mandatory.
Compulsory compliance with data protection laws is coming, sooner or later, to other parts of the world. The sooner businesses get used to it, the sooner they can get on to the important business of figuring out how to protect their customer’s data while minding the bottom line.
GDPR is How We Manage Privacy in the Digital Age
If you follow privacy and security issues, you understand that technology creates both opportunity and constraint. It’s often talked about in terms of trade-offs. For example, we trade privacy for convenience. We trade privacy for security.
But with tough rules in effect, like those of GDPR, we don’t necessarily have to make these trade-offs. We can allow our data to be collected, knowing it’s going to be protected by strict laws that are enforced. In return, we’re reaping the benefits of the digital world – convenience, cost-savings, and choice. If we move forward into the digital age, our laws must also move forward.
In other words, GDPR is the legislative attempt to strike a balance between privacy and all the wonderful benefits of living in the digital age. It’s the first major success with unifying and standardizing data protection laws across international boundaries. It is the first of many.
Don’t Mistake the Ebb & Flow of Dialogue on Privacy for Possibility of Rollbacks in Legislation
Because talks on privacy and security issues ebb and flow, it’s not always abundantly clear how things are going to pan out. Holdouts in the current United States administration, for example, hold onto the notion of ‘security over privacy’, even in the face of strong support for GDPR and similar data protection initiatives.
International dialogue on data protection laws is fraught with political tension. One reason for the turmoil, the lawsuits, the heated debates on privacy vs. security is fear. It’s all tinged with the worldwide fear of terrorism – how do we strike the right balance between privacy and security? Can’t governments offer both? The EU seems to have a more positive outlook on this, as evidenced by the GDPR. But either way, businesses have to prepare for EU-level rules, not hope for rollbacks in data protection measures.
Things Change- Get Used to It
If GDPR legislation does, in fact, feel radical to you, then it may help to compare it to the environmental mandates that took effect decades ago. Before we had environmental laws, companies were spewing filth into rivers and streams, polluting neighborhoods, making people sick, and turning the atmosphere into a hot, dirty mix of carbon monoxide, particles, and who knows what else. These weren’t necessarily evil wrongdoings. It’s entirely possible that they couldn’t even have been chalked up to careless acts.
You see, a hundred years ago, the land seemed bigger, more able to absorb whatever harm we caused. Chemicals simply washed downriver and into the ocean – out of sight, out of mind and into the vast, limitless environment that would absorb endlessly. So it seemed odd that businesses would have to start cleaning things up, minding their output and the by-products of production. Those new laws seemed radical.
But those businesses were looking only at their immediate physical surroundings, not listening to reports from scientists showing that their polluting activities would show up far away and would have long-term consequences. Starting to sound familiar? If GDPR seems radical to you, then it’s time to open your ears and listen to what the experts are saying about privacy, the Internet of Things, data security, and human rights.
‘Doing Your Best’ Won’t Cut it Any Longer
With short-range-vision goggles in place, it’s easy to think you’re doing enough. You have only to widen your perspective and you’ll quickly realize that your best isn’t good enough anymore. The sophistication of data thieves and hackers compounds every week. As the Internet of Things grows, so too does the long list of data types that need protecting.
All security gaps are crucial at this point, no matter how inconsequential they may seem to you at the moment. Plus, the regulatory risk for non-compliance is huge. Beginning in May 2018, violators face fines of the greater of €20 million or 4 percent of their global annual turnover. Plus, there’s the possibility of owing the parties you damaged compensation. Here’s the exact GDPR wording: “Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
In Italy it’s already happening: last month 5 Italian companies were fined over €11 million for violating GDPR-like rules. Customer data was ‘unlawfully processed’ by money transfer companies who were actually laundering money to China. The fines were huge- thanks to the violating companies themselves, who have themselves to thank for not cooperating and for showing little or no willingness to remedy their misdeeds.
Businesses had better get going, too. According to a report from Ovum, global analyst, more than half of global IT companies didn’t think they’d be able to meet GDPR requirements. Almost two-thirds of German companies who were surveyed believed that they would face fines. That survey was done in December 2015, so maybe the numbers have improved since then. We can only hope.
So as you move forward, the best thing you can do right now is to familiarize yourself and your staff with GDPR and task smart and powerful people within your organization to make the necessary changes so you’re compliant. Taking data security seriously is the only way you can thrive in the 21st century and beyond.