In this age of information, the world has been repeatedly rocked by data breaches, each one bigger and farther reaching than the last! Not all hackers benefit from their activities. But every such activity breaching data privacy disrupts the lives of many and ruins the reputations of organizations which allowed such a breach to occur.
Data protection is the need of the hour and cannot be taken lightly by countries, companies and even individuals. Now we have the European Union (EU) showing the way to the rest of the world with the passing of General Data Protection Regulation (GDPR), its data protection directive that applies to all its citizens and residents.
Adopted in 1995, the European Union has been loosely following the seven principles given below to protect the personal data of individuals living in the EU, and they were a part of the EU Directive:
The EU’s General Data Protection Regulation affects all businesses in Europe and everyone residing there, but also carries extra-territoriality to control the personal information of all its citizens which is exported outside the EU. Its regulations make the processing of data within the EU uniform and brings it under a single legal umbrella.
Once finalized and enforced beginning in 2018, the GDPR is set to supersede the earlier EU Directive and to impose expectations not just from businesses and individuals in the EU but also from the global entities that deal with these individuals and their personal information including their correspondence, their homes or their private and family life.
Its increased compliance requirements also impose heavy financial penalties for any transgressions (to the tune of €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.) The fines cover aspects such as:
The sanctions and remedies under the GDPR give regulators unprecedented powers to intervene in business and shape how entities conduct their operations, including the power to impose heavy fines. Non-compliance could potentially render organizations liable to pay fines of billions of dollars. All companies, foreign or local, processing the data of EU residents are covered.
Look at some of the salient regulations that will have to be followed:
All member states of the EU shall adopt these tenets to establish appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. Every member state must set up a supervisory authority as an independent body that will monitor the data protection level in that member state and defend against any violations.
Every global organization that handles data on EU citizens and residents will be affected by the GDPR. Countries outside the EU need to provide an adequate level of protection and promise to comply with the data protection rules.
The US Office of the Director of National Intelligence will give written commitments that Europeans’ personal data will not be subject to mass surveillance. The EU and USA will conduct an annual review to check whether the new system is working properly. An instance of data loss resulting from unlawful processing entitles data subjects to collective redress, the equivalent of a US-style class action lawsuit.
To comply with the GDPR, companies need to map and classify all their personal data as well as document everything they do with data and everything they do to achieve legal compliance. They need to perform risk assessments, design privacy protections into all new business operations and practices, employ dedicated data protection officers plus monitor and audit compliance.
Two years may seem like sufficient time to do all this – but they must start acting now or be found lacking when 2018 rolls around.
What data privacy practices do you think we should institute in the US?
Mail (will not be published) (required)
2 + = five
Thanks for Subscribing to DCR Blog.