In the last decade, data has become king, and one of the biggest issues for cyber security experts has been protecting that data. With several high-profile hacks including the Equifax breach, it is obvious that hackers are targeting data storehouses in an attempt to gain access to bank accounts and put this information up for sale to identity thieves. But one law will soon put a legal precedent on protecting this data. The General Data Protection Regulation (GDPR) is set to make personal data protection not just a matter of company policy but an actual legal requirement.
What is GDPR?
The General Data Protection Regulation is a law that is set to go into effect on May 25, 2018. The law was passed in the European Union (EU) and is meant to protect citizens of the EU. In effect, if you do business in Europe and keep data on European citizens in a business capacity, then it is now a legal requirement that you keep that data secure. In fact, you are legally tasked with obtaining permission from the individual before you can compile their data and are responsible if that information is stolen by cybercriminals. If you fail to maintain proper security, then you could be subject to millions of dollars in fines. All of this stems from an underlying fear of data breaches and the fact that many citizens blame the companies that are hacked more than they do the hackers themselves.
What does the GDPR mean for your company?
Obviously, if you do business with citizens of the European Union, then this law will have a major impact on your business. As one expert has noted, this will not be something that you can take care of with an extra paragraph in your terms of service. This will require system-wide compliance and the potential to change a company’s security structure. One thing that is especially important is to realize what constitutes personal data. This is much more than storing a home address, phone number, or even a social security number. The GDPR makes the definition of personal data so broad that it also can include a person’s IP address or cookie data. So all of this data must now be secured in an attempt to better protect consumers. It also includes the following data:
- Name, home address, and identification numbers
- Medical and biometric data
- Racial, ethnic, and sexual orientation data
- Political data and opinions
- Online data including IP address and cookie data as well as location
What is also particularly difficult about compliance with this law is the fact that it states a company must maintain “reasonable” security without truly defining what “reasonable” constitutes. This will obviously be left up to interpretation by the member nations of the EU and will be debated and defined in the courts in the months and years to come. The final aspect your company should realize is that this will affect your company, even if you don’t actually have a business branch or physical presence in Europe. All it literally takes is one person in your database who is an EU citizen to mean that you must protect this data to comply with the law.
For any company that collects and stores data on users, the GDPR is set to be a game-changing legal requirement that will take a massive series of changes in IT departments. The earlier companies begin to align their plan to comply with this law, the easier it will be when it takes effect in May.
New Edge Technology Solutions has an ear to the ground on all aspects of cyber security. We make sure our clients know we have their back by letting them know about upcoming concerns such as the GDPR. Have questions about you or your company’s cyber security? Contact us for a free consultation.