The GDPR is a regulation that obliges companies to protect the personal data and privacy of citizens of the European Union during transactions carried out in the Member States of the European Union. Failure to comply can cost companies dearly. Here's what you need to know about GDPR compliance.
Which company must comply with the GDPR
All companies that collect data on European citizens must comply with strict new data protection rules since May 25, 2018. The General Data Protection Regulation (GDPR) provides a new standard on consumer rights regarding their data. Businesses face the challenge of putting systems and processes in place to comply with this new rule. Compliance raises concerns and new expectations for security teams.
The GDPR indeed takes a broad view of what constitutes personally identifiable information. Businesses should apply the same level of protection to things like an individual's IP address or cookie data as well as their name, address and social security number. Many of the GDPR requirements do not relate directly to information security, but the processes and system changes needed to comply may affect existing security systems and protocols.
What is GDPR?
The European Parliament passed the GDPR in April 2016, replacing an outdated data protection directive from 1995. It contains provisions that oblige companies to protect the personal data and privacy of EU citizens for transactions carried out in EU member states. The GDPR also regulates the export of personal data outside of the EU. The provisions are the same in all 28 EU member states, which means companies only have to meet one standard. However, the latter is quite high and requires most companies to make a significant investment in GDPR compliance.
Why was the GDPR adopted?
The short answer to this question is public concern about their privacy. Europe has already had stricter rules regarding how companies use their citizens' personal data. The GDPR replaces the EU Data Protection Directive which came into force in 1995. Indeed, in the digital age, increased security regarding data protection is essential.
Therefore, the 1995 directive is outdated and does not take into account the ways in which data is stored, collected and transferred. According to RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the US, 80% of consumers said the loss of banking and financial data was a major concern. Loss of security information (passwords, for example) and identity information (passports or driver's license, for example) was cited as a concern by 76% of respondents.
An alarming statistic for companies dealing with consumer data is that 62% of respondents in the RSA report said they would blame the company for data lost in the event of a breach, not the hacker. The report's authors concluded that as consumers become better informed, they expect more transparency and responsiveness from those responsible for managing their data. The best way to ensure compliance is therefore to use software for GDPR compliance.