Is Your General Data Protected? Ignore GDPR at Your Peril!
Alarmist headlines like this about GDPR remind me of the Y2K bug, when people feared those pesky digits missing from early mainframe and minicomputer programs would cause planes to fall out of the sky and power stations to grind to a halt. Alas, we know the Y2K bug was much ado about nothing, except for consultants profiting from fear of the unknown.
Unlike Y2K, the impending General Data Protection Regulation (GDPR) mandate is based on what we do know: In recent history, businesses have had massive data piracy hacks threatening their credibility and survival. As the owner of a marketing-based company I take data privacy and protection very seriously, for real reasons, as should you.
In the U.S., we may not have heard of the term before (since it originated in Europe) and think "Why would such a law affect us?"
Here’s why: Although GDPR is of E.U. origin, it applies to any business offering services or goods to any E.U. resident. As the E.U. market is the largest in the world and almost every global enterprise is doing business in the E.U., this mean this becomes the de facto standard worldwide. And beware: Noncompliance can carry penalties as high as 4 percent of annual global revenues.
The increasing expansion of cloud and mobile computing practices in enterprises make US companies more vulnerable to GDPR, as they are often act in both roles as data processors and data controllers.
Due to their global trade relationships and dependencies, U.S. companies are increasingly required to expand privacy efforts and make them more flexible. U.S. companies operating in the E.U. market that gather personally identifiable information (PII) are subject to GDPR regulations in all of the E.U. countries where they do business. Organizations are not protected from responsibility because they rely on a third-party cloud provider to manage data, which is often also a U.S. company. The first step is to recognize this responsibility and create a strategy to react and comply by May 2018, when GDPR becomes law.
One of the starting points is to appoint a Data Protection Officer (DPO) — a position that will become a legal requirement in E.U. organizations with a central data storage and processing function.
The E.U. General Data Protection Regulation (EU GDPR) provides a singular data protection law for the EU — creating a reference and basis upon which security platforms can be initiated, and preventing the loss of personally identifiable information as a consequence of security breaches. The GDPR will enforce stringent data protection requirements for all organizations that possess or process personally identifiable information, and/or monitor the behavior of E.U. citizens.
GDPR has been created to ensure that data protection laws are up to date with the “internet age” and are responsive to the ever-increasing threat of security breaches and cyber-attacks. The directive is prescriptive and will help to reassure European citizens that their personal data is safe - enhancing their confidence and interaction with online services.
The regulation puts the security of EU citizens at the forefront of all processing activities — including granting individuals new legal rights concerning access and data erasure, and holding organizations accountable for any obligations to which they fail to adhere.
The Role of a Data Protection Officer (DPO) in GDPR
Your DPO can be a staff member or contractor; however, the role must be designated on the basis of professional qualifications and expert knowledge of data protection laws. Here’s what the job demands:
- Inform and advise the data processor and employees who process personal data of their regulation obligations.
- Monitor compliance with these regulations, including the assignment of responsibilities, awareness-raising, and training of staff involved in the processing operations, and related audits.
- Provide advice where requested regarding the data protection impact assessment and monitor its performance.
- Cooperate with the supervisory authority.
- Act as the contact point for the supervisory authority on issues related to the processing of personal data.