For anyone opening a tech industry publication in recent months, it’s been nearly impossible to miss headlines related to the EU’s upcoming General Data Protection Regulation. Unfortunately, many of these articles are neglected by U.S. businesses with the mentality that it’s something happening across the pond and therefore is not as relevant as other pressing concerns. In reality, businesses in America have a lot to learn from these upcoming changes, and some will be legally bound by them.
First, it’s necessary to understand that the GDPR is designed to boost data privacy laws across Europe, empower citizens, and shape the way organizations approach data security. It’s set to go into effect on May 25th, although it’s estimated that 80% of companies will fail to comply by that date, meaning they could face fines as high as 20 million euros. Provisions included in the regulation are numerous, but there are some notable highlights.
A 72-hour breach reporting rule is included that mandates businesses notify authorities quickly of any data breach, and if the data is of a more sensitive nature, they must notify the affected individuals directly. Not reporting a breach is a fine of 2% of a company’s global revenue, which can amount to a lot. Further, the GDPR defines a data breach much more broadly than American standards and also ensures that the ownership of personal data stays with individuals. Certain organizations will be obligated to hire a Data Protection Officer under the new regulation, and the requirements of what constitutes consent for using an individual’s personal information have also tightened.
For American businesses, the implications of the EU’s General Data Protection Regulation are two-fold. Firstly, it will legally affect certain U.S. companies directly. Article 3 of the regulation states that if personal data is collected from an individual in an EU country, even if the business collecting that data is based in America, then it is subject to the requirements of the GDPR. This has far-reaching implications for companies that have websites that may be visited by EU citizens. Just a small example is that, when asking for an email address and consent, it’s not allowable to have a user click on a link to a long “terms and conditions” document filled with legal fine print. Instead, companies will need to clearly explain what they intend to do with the email addresses they collect.
The second big takeaway for all American businesses, especially those that may not be legally affected by the GDPR, is that it can serve as an excellent data security guideline. Even if you don’t interact with EU citizens, it is wise to start operating as if you are for several reasons. At the most basic level, doing so can only improve your organization’s security and data operations. That can become a differentiator when you’re a U.S. company that is compliant with more stringent data regulations than competitors. Also, consumer protection rules and regulations regarding data are tightening across the globe. It’s only a matter of time before the U.S. as a whole, your state, or your city will see something similar. Preparing for that day right now is the appropriate measure to take, as companies must understand and safeguard their data better than ever before.
When it comes to data protection and cybersecurity, there is a lot to consider. Changing the way your organization addresses these topics isn’t easy, but the reality is the world is in a state where ransomware and data breaches are common. As technology evolves, so too does the sophistication of hackers and their malware, but without the right cybersecurity and data talent, a business cannot keep up the fight. Therein lies the biggest challenge regarding data protection.
Of course, hiring talent to assist in these measures has a financial impact. Even if you can find the right expertise to bring on board, the salaries of multiple niche IT professionals can seem prohibitive. However, there are cost-effective ways to engage with top cybersecurity and data professionals. Utilizing consultants to carry out your security objectives can provide project-based solutions that allow you to control costs, providing a cheaper alternative to hiring permanent talent who may not be needed after new measures are in place. Plus, spending money on talent versed in data and cybersecurity is a value-add to any organization. While even one temporary hire may add a cost for a few months, experiencing a single data breach can be financially catastrophic. That is a risk that businesses are no longer able to justify.
While the GDPR is something specific to the European Union, businesses all over world stand to be affected by it. May 25thwill bring with it a significant change to the state of data privacy in the world, and that requires companies of every nature to take note and adapt. For those who need assistance doing so or are looking for top data and security tech pros, CyberSearch is ready to help.
Check out these related articles