The 25th of May 2018 was a landmark day for consumers when it came to just how their data was treated.
That was when the General Data Protection Regulations (GDPR) came into effect in the European Union.
For many years there has been increasing concern surrounding data privacy and protection.
Companies in a wide variety of industries ranging from retail to insurance and financial services and social media have been harvesting data and using either for their own purposes or, even more worrying, selling it off the marketing companies who would then harness that data to provide highly targeted advertising (that is targeted at an individual taking account his or her preferences).
The worrying thing about these trends was that consumers were not given an insight into just what sort of data was being gathered, how it was being used. Possibly just as importantly, how companies were safeguarding the data they had gathered.
And the amounts of data – and types of data that are being gathered are staggering. It ranges from social security numbers, credit card numbers, medical records, buying habits, name, physical address, group memberships – and the list goes on.
As worrying is the increasing power and complexity of the algorithms that are processing all this data. It is no exaggeration to say that these companies are well on their way to building such comprehensive behavior prediction models that they will know what they will do before you do – and plan accordingly.
Another concern was the increasing number of malicious attacks on databases of consumer data and the theft of sensitive information to be used later in various scams.
It became clear that companies were not doing all they could to safeguard the information they had gathered.
So the GDPR places the responsibility for this back into the hands of the companies gathering the data.
But just how easy are these companies going to find it to comply with the regulations? If early reports are any indication – it’s going to be a challenging road ahead.
The GDPR is noticeably vague in some of its definitions – and this is giving security personnel sleepless nights.
For instance, it states that the company should take all ‘reasonable steps to ensure that data is safeguarded. But it fails to define what ‘reasonable is.’
Another area of concern is the GDPR calls on companies to appoint a ‘Data Security Officer’ where they are ‘processing’ large amounts of data but then neglects to define the company’s size should be where a ‘Data Protection Officer’ is required.
Given that the penalties for non-compliance with the standards and regulations that have been set in place by the GDPR are harsh – and that may very well be an understatement, companies are extremely concerned when it comes to their responsibilities, and rightly so.
It is difficult to argue that the GDPR is necessary – however, further clarification of responsibilities will be required to be effective.