We ended 2015 with full consensus that the internet needs improved security and data protection. Hackers breached too much data from government and corporate entities, and their momentum seemed almost completely uninhibited. We were concerned about the ethics of political and corporate surveillance and noted large holes in how customer, consumer and general population data is collected and transferred.
As it stands, existing laws have made it too easy for companies, governments and individuals to collect private information and distribute it. When information is mishandled or intentionally leaked, the responsible parties fade into the background where poorly worded and managed rules allow for easy absolution. These laws were written in an age before the internet and the global services we now all consume.
The online issues today are that of privacy and accountability, and the European Union aims to bring clearer guidelines to the seemingly borderless anarchy of the internet via the General Data Protection Regulation (GDPR).
Who is responsible for what and how responsible are they?
An obvious problem with internet regulation is jurisdiction. The internet is a free flow of information and creating choke points and having appropriate levels of privacy is difficult, especially when country to country the rules are different. The GDPR is a huge step in the right direction because of how it aims to uniformly address regulation across Europe. Accordingly, the new laws may force the hands of other information superpowers by requiring non-EU companies to comply with European data protection law when operating in the EU.
When EU parliament approves the final language (expected this spring/summer) companies will have 2 years to prepare before the laws take full effect. Companies that do not comply with the new laws could face fines as much as 4 percent of annual turnover. For some, that number could be in the high-millions or even low-billions of dollars. It is important for privacy laws to have teeth so that they are taken seriously, but at the same time they need to be applied in an appropriate and proportionate way.
The new framework for data regulation will supplement the previous patchwork legal structure with rigid, carefully considered laws. These laws will give individuals more power over their data and more visibility into what information they’ve shared.
Here are some significant policy upgrades worth noting:
- Companies that process sensitive data on a large-scale will be required to appoint a data protection officer.
- Companies will need to receive explicit consent from individuals when collecting and/or processing their information. Likewise, companies will need to disclose the purpose of the data collection in clear and concise terms.
- Data subjects will be allowed to both request the transfer of data from one service provider to another and situationally terminate any personal data upon request.
- Companies will only be allowed to house data for a limited time. At the end of the of the allotted time the company will be required to review or erase the data.
- Companies will be required to notify data subjects of any data breach involving non-encrypted data within 72 hours.
- When a business uses a cloud service provider to process data, the cloud service will be required to comply with all GDPR security regulations.
The above policies are just a handful of the regulations that will force companies to evaluate how they operate in Europe. Though the new regulations are strict and come with stern consequences, the legislative parties responsible for the outlined rules are clear that they are not trying to deter business growth; the regulations are there to protect EU citizens. In fact, legislators claim that the next step will be to remove groundless barriers for companies, which limit data exchange across borders. They will look at storage limitations and processing restrictions on data to determine where they can further improve the flow of information commerce.It is important to start preparing for GPDR now, look at how you are managing the privacy of your customers and ask your suppliers how they are getting prepared.