Data Protection Regulations: Are you ready?
Are you building your data-protection strategy?
In a world where end consumer data helps drive customer profiling and segmentation, organizations are now able to become more customer-centric; however, the EU’s General Data Protection Regulation (GDPR) is perhaps making organizations think again on how to control and process personal data. To comply with this European regulation, MNCs who operate in EU must closely work with their data protection and privacy officers to understand global data privacy controls that protect personal data.
How it differs from the US privacy model
The standards prompting a data-breach notification in the United States is the “unauthorized access or acquisition” of personal data such as social security numbers and/or banking information, but the GDPR has a much broader coverage—including “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” The EU defines “personal data” as any data that can be directly or indirectly associated with an individual. In summary, a much lower threshold has been set, effectively raising the bar for security. Ramifications of non-compliance with GDPR is set at 20 million EUR or four percent of the companies’ global revenue (whichever is higher!). However, many recent studies show that more than 50% of the companies who are required to abide by the mandate will not have a comprehensive data protection strategy by May 2018, the EU deadline.
Your Action Plan
To be compliant with the mandate, many organizations have already appointed data protection and Chief Privacy officers who are actively working to establish and roll out measures which will, at a minimum, help organizations to:
- Be proactive regarding data protection, understand what data is being collected, and where/how it is stored and transferred.
- Regulate access and flow of personal data with security layers and restrictions.
- Ensure ‘data processors’ comply with similar restrictions.
- Establish and maintain audit trails.
- Comply with requests for ‘erasure’, ‘portability’, ‘rectification’ etc. of personal data.
While the actors would primarily remain the Data Controller and Data Processor, there will be an increasing number of moderators and auditors who we expect to increasingly participate in varying degrees. As summarized by Forrester: “Fifty-six percent of North American consumers are worried about identity theft, 33% worry that their data is being permanently recorded, and 44% worry that apps are collecting information without their consent. What’s more, 350,000 consumers have asked Google to remove their information from searches under the Right to be forgotten regulations.” Will voice of the consumer drive similar regulations in US? Well time will tell, sure it wouldn’t hurt to be prepared!
At Sogeti: We not only have Data Protection Officers but also a large group of professionals who are certified in cybersecurity and privacy; at the same time, we are actively assisting organizations to strategize and achieve their security vision and mission. Have you built your data protection strategy yet?