After remaining largely unchanged for nearly two decades, data protection laws in the European Union have finally been updated. For a long time, companies have enjoyed a relatively stable set of regulations. Now businesses all over the world will be forced to significantly revamp the way they manage personal data amidst the roll out of the General Data Protection Regulation.
Here’s what you need to know:
What is it?
General Data Protection Regulation (GDPR) is a European Privacy Law that will come into effect on May 25th, 2018 and applies to every organization in the world that is doing business with EU countries or citizens, or processing personal data related to EU residents. The updated privacy regulation is aimed at creating a single set of laws for all EU member states, bringing laws on par with the latest technological advances and giving EU citizens more power over their data. Failure to comply with the new regulations will result in significant financial penalties that can reach up to 4% of global sales revenue or €20M, whichever is greater.
Consequences for businesses
The GDPR is a complex set of regulations that will require significant changes by companies in the way they approach personal data, especially related to how it is collected, stored and managed. In general, the biggest implications can be categorised into the following aspects:
Data location & flow
Companies must be able to detect what personal data they own and where it’s stored at any given moment. Moreover, cross-border data transfer regulations have also been strengthened so firms must reevaluate whether they comply with the new rules.
Firms must ensure they can track personal data flows, not just within their organization but also with third-parties that are given access to that personal data. Therefore, partner selection and collaboration must be conducted carefully to ensure compliance throughout. Additionally, data processors are now liable for data privacy violations and must be given consent by controllers before receiving and using data.
Privacy by design
A key aim of the GDPR is to enforce companies to prioritize data protection when designing new systems, rather than just adding elements for compliance at the end. In particular, the amount of data stored and processed should be limited to information that is essential for completing their business activities.
Data Protection Officer
The new GDPR also requires most companies to create a data protection officer (DPO) position within their organisation. This person must have expert knowledge in their field in order to inform, advise, and monitor compliance according to the new law. Large corporations may benefit from appointing a single DPO for the entire EU market to ensure compliance under the new regulations, but smaller companies might suffer.
Data protection & security
Besides ensuring security controls for preventing, detecting and responding to breaches, the GDPR requires firms to notify the corresponding authorities within 72 hours of personal data breach detection or in extreme situations even immediately.
In light of the data portability regulation, companies will have to find a suitable way to not only transmit information to people in a transparent and accessible way, but also make sure that individuals are authenticated as to not allow any breach or abuse of personal information. Additionally, people must be allowed to transfer this data to another controller and individuals must be given the right to erase their personal data. Finally, consent regulation have been fortified so firms can’t rely on simple “opt-out” solutions anymore.
Official EU statements mainly talk about cost saving opportunities in the region of €2.3B per year stemming from the uniformed regulations. However, organizations will have to make significant upfront investments in order to comply with the new rule set. In fact, a survey by PwC revealed that 77% of US multinationals are planning to allocate more than $1M in order to reach the new data protection compliance requirements in Europe and 9% are setting aside over $10M. Installing a DPO for Europe’s GDPR, training staff on new regulations, and creating the necessary processes and technology infrastructure to comply with the law are just a few cost drivers.
Microsoft believes the GDPR represents an important step forward for individual privacy rights and Lumagate agrees with this sentiment. EU citizens will finally have more control of their personal data as the new law gives them the rights to have personal data “erased”, transfer it to another controller, or view what data is stored by companies. Ultimately, European residents will have their personal data protected no matter where it is sent, processed, or stored.
While the GDPR is good news for EU citizens and their data protection, it remains to be seen what impact the law will have on businesses. Regardless, potential financial penalties of up to 4% of total revenue provides more than enough motivation to start the “GDPR compliant journey” today.
Microsoft is committing themselves to be GDPR compliant across all cloud services by the time the new data protection regulation is enforced next year. This is good news for any company looking to store data online in a GDPR compliant manner and it makes investment in cloud services from Microsoft a secure choice for the future.
If you want to learn more about setting up your business for a successful cloud journey in light of the GDPR, download our “Lumagate 2017 book” here:
Global Program Manager for Identity, Access and Security with focus on Microsoft technology. Identity Management, Office365, Azure, Azure AD Premium, EMS, ECS.