The clock is ticking: by May 2018, enterprises active in the European Union must put in place state-of-the-art data protection processes and systems – or face fines of up to 4% of their global revenue.
The European Commission, the Council of the European Union, and the EU Parliament have laid down this requirement in the General Data Protection Regulation (GDPR). The new regulation applies to all organisations – whether based in the EU or not – that do business with EU residents and store or process their personally-identifiable information.
Today our lives are dominated by cloud-based services offered by companies like Facebook, Google, and Amazon. The business world has taken a similar route: an increasing number of companies use cloud services, from office and collaboration software to salesforce automation or enterprise resource planning. The value added by cloud services largely depends on aggregating and analysing end user data: who are their friends, and what kind of information do they share with them? What do they search for on the internet? What are their interests and concerns? What do they buy, and what would they like to buy in the future?
In the US, few consider this information gathering to be a serious problem. In Europe, however, the situation is different. This is at least partially fueled by Europe’s experience with surveillance and state-driven mass data collection in the past. Europeans tend to be more sceptical of large-scale data gathering – despite huge potential benefits, such as in medical research.
So, the EU decided to refine its data protection laws for the cloud era. At the moment, the GDPR is probably the most comprehensive data protection legislation on the planet. It aims to strengthen EU residents’ privacy rights and harmonise privacy regulation across the EU’s member states. It also sets a high bar for responsibility and accountability:
- Enterprises – including IT vendors – must have data privacy processes and systems in place (e.g. privacy by design, privacy by default)
- Certain enterprises must have a Data Protection Officer
- In high-risk sectors such as the financial industry, enterprises need to conduct Data Protection Impact Assessments
- In case of a data breach, enterprises must inform authorities, and in some scenarios customers as well, unless these data are encrypted or pseudonymised – making it a natural choice for enterprises to encrypt customer data as soon as possible
- The heated debate about the ‘right to be forgotten‘ in the age of Google searches resulted in an explicit right to data erasure
Achieving compliance with this regulation means a lot of work for all enterprises affected – from a thorough inventory of all locations where customer data is stored to defining, and finally implementing, all required roles and processes. The more centralised an enterprise’s application and data-storage environment is, the easier it will be to meet technical compliance goals.
This centralisation can be achieved in various ways, for example by introducing unified access controls across on-premise and cloud services with single sign-on; by rolling out centrally-managed virtual workspaces that give end users a secure and consistent workspace environment; by monitoring mobile device and app security; and by employing an enterprise file-sharing system that allows the IT department to apply stringent rules regarding who can share information with whom, and where this information is stored.
The good news is: once the GDPR system of privacy controls is in place, it will provide a well-thought-out balance of the personally-identifiable information economy and end users’ privacy concerns, providing a unified mechanism applicable throughout the EU.
Most of all, with the incentive to extensively encrypt customer data, information security is bound to improve. So ultimately, the GDPR is good news for customer privacy and enterprise IT security.