As 2018 quickly approaches, we have a good opportunity to look towards the future. GDPR will go into effect in May and with it we should see some significant changes in how companies handle their data.
Many companies think that GDPR is just a European Regulation. However, the regulation stretches to information collected on EU Members. As companies continue to stretch their arms into the global marketplace, the time to take GDPR seriously is now.
GDPR states that if you collect any of this data on EU members you must comply with the regulation:
The penalties for non-compliance could be rather steep should the EU choose to enforce them.
Depending on the nature of the infraction:
Since this regulation has the potential to affect so many organizations, I think we are going to see some interesting shifts in the data world in 2018.
GDPR says that data should be processed lawfully, fairly and in a transparent manner. People want to know what you are doing with their data. GDPR will require companies to communicate this information. While many of us don't read the fine print when accepting terms and conditions, companies will need to publicize what they intend to do with your data.
Companies will no longer be able to collect your information and use it however they want. At the moment when they collect that data that will need to indicate what it will be used for and for how long. Additionally, as listed below in individual rights, companies will have to address more ways that individuals can interact with the data that companies have collected on them.
GDPR says that data should be collected for specified, explicit and legitimate purposes. It also says that data should be adequate, relevant to what is necessary. Some businesses collect data for the purpose to sell it off to other companies while masquerading as a legitimate business. GDPR should allow us to see a decrease in this activity.
Other companies have no malicious intent with your data, but they collect information and hold onto it in the case that they might find it useful information later. With GDPR, companies will have to limit their data collection to only what is necessary and state exactly how that data will be used.
GDPR also says that data should be kept in a form which permits identification of data subjects for no longer than is necessary.
As we have witnessed with over 25 large scale breaches in 2017, companies have not been responsible about protecting individual’s data. GDPR says that data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage. Under GDPR Data Breaches must be reported within 72 hours. GDPR also states that sensitive information must be encrypted.
Most companies do not have very strong data security practices in place. With the GDPR regulation companies will be motivated to increase their data security in order to avoid the penalties.
GDPR lists a variety of rights to the individual. Companies will need to implement policies in order to accommodate individual rights. With GDPR individuals will be able to:
While this will be great for individuals, companies will have to work to implement solutions that will allow for this behavior with their data.
IDERA has a variety of products that can help companies to prepare for GDPR.