As the May 25 deadline approaches for implementation of the European Union's new internet privacy laws—dubbed the "General Data Protection Regulation"—it's more vital than ever that all tech companies with interest in the United States and abroad understand the regulation's implications. Although the General Data Protection Regulation (GDPR) is legislation passed by the EU for the protection of its member state citizens, the impact of its requirements and restrictions will be felt throughout the global corporate world as data becomes the currency of the Digital Age.
Internet giant Facebook is currently in the process of complying with the law by implementing tools for users to better protect their data, but in the wake of Facebook's failure to secure user data against the unauthorized use by the U.K.-based Cambridge Analytica it's become obvious why the regulation is needed. And as the number and size of security breaches continues to grow and the value of data continues to increase, the case gives a glimpse into how the United States' laws may change as well.
So, what does this all mean for the IT industry and the organizational infrastructures it supports?
According to the law, all digital entities must clearly announce their intention to collect digital information on a website or application, and any data related to EU citizens that is collected through interactions with any entity (regardless of nationality) must be made accessible to those citizens under penalty of substantial fines, upwards of 4% of their annual revenue. Protected personal data is, according to the GDPR definitions, any information that could be used to identify a person either directly or indirectly, including that person's "name, an identification number, location data, an online identifier or… factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity." This means that not only must companies provide their customers with consistent, reliable security at every touchpoint, but that the protected data must be easily retrievable at any time.
In the wake of several high profile digital business data breaches—Yahoo, LinkedIn, and now Facebook—accountability is among the highest priorities of the legislation. According to Wired Magazine, unauthorized data incursions must "be reported to a country's data protection regulator… where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more."
For companies that conduct international business and house their products and programs in Cloud services, this new set of regulations has become especially relevant. Beyond the more transactional elements of the relationship between a user and their data, a company's cybersecurity is under greater scrutiny than ever before.
But the problems GDPR intends to address will not be resolved overnight by one piece of legislation. For IT leaders, the challenge will be in building infrastructures that are able to adapt to future conditions; to respond to new changes in legislation, new requirements from oversight, and new expectations from customers. As there are legal challenges to GDPR throughout the E.U. and U.S. legislation inevitably rushes to catch up with data protections of its own, will the infrastructures built today be able to handle the demands of the future?
More valuable data demands greater protections, which in turn invite more sophisticated methods to attack, which demand more sophisticated counter measures, and so on. This cycle necessitates the application of an increasingly high degree of IT flexibility and expertise, all while negotiating users' attunement to those perils and responding to their concerns. As data becomes more valuable for business, customers will likely become more protective of it; without proper protections in place, IT departments will be on the front lines, finding solutions to potential backlash. And once the U.S. does catch up with its own legislation, a slew of new expectations will make it essential that those who would implement it are prepared.
How companies are able to anticipate these changes over the long term may mean the difference between budget shortfalls or windfalls, and IT infrastructure utilities are uniquely positioned to adapt to those shifting circumstances. It's the responsibility of IT leaders to take GDPR as an opportunity to truly lead and clear the path for future security, transparency, and resilience.
|Like what you read? Stay current on TenFour's IT industry insight by subscribing to the Access Point blog via the link above, or connecting with us on LinkedIn, Twitter, and Facebook.
To learn more about TenFour, check out our Customer Journey page, or email email@example.com.
Copyright © 2018 TenFour | Photo by Slon Pics