The General Data Protection Regulations, which came into effect in late May, govern just how EU companies (and those across the globe who deal with the EU) treat personal data protection and privacy issues.
Companies who fall into these categories – or even those that use personal data gathered from EU citizens (even if they don’t actually do active business in the EU are facing some challenges when dealing with the effects of the GDPR.
But first – how did the GDPR actually come to be promulgated? The story of the GDPR started in 2012 when the European Commission set out its plans for an overhaul of what many viewed as an outmoded approach to handling data in what was called a new ‘digital age.’
The formulation of the GDPR took another four years, which clarifies the complexity of the task.
The foundation of the GDPR is an effort to allow consumers more control over how their personal data is both gathered and handled. It recognizes that we live in an age where data is at the very core of progress and that the Internet has revolutionized consumer buying behavior and the way we interact with each other (including the now-common use of social media). It also recognizes that during our interactions with organizations on the Internet, almost every single instance of those interactions involves a company collecting and analyzing our personal data. Detail such as social security numbers, credit ratings (and card numbers), physical addresses, locations, and names were all fair game in the past.
So the need for the GDPR is readily apparent. But the requirement for an advanced set of regulations such as the GDPR has become more urgent over the past decade. The pace of data breaches has been steadily increasing – and the amount of data being lost to hackers is growing exponentially. This is the reason for the dual purpose of the GDPR. Firstly it sets in place regulations covering just how data is gathered. Secondly, it also guides companies on their responsibilities when it comes to protecting that data from loss – including a loss to those who have malicious intent.
What exactly does GDPR mean for consumers in the European Union and those doing business with those consumers?
Firstly companies are now required to inform consumers when a data breach occurs, and their data has been affected. Companies must also let the relevant authorities know when a hack has occurred – and inform them of what they had in place to prevent that happening and what steps they are taking to mitigate the effects of such a data security breach.
Companies are now under an obligation to inform consumers about how their data is being used – and allow them the option of ‘opting out’ of the data collection practices.
Clearly, GDPR will place an enormous strain on the I.T. and security professionals in many organizations – however, it is a step that has been long overdue.