As 2018 quickly approaches, we have a good opportunity to look towards the future.  GDPR will go into effect in May and with it we should see some significant changes in how companies handle their data.

 

GDPR will affect more than Europe

 

Many companies think that GDPR is just a European Regulation. However, the regulation stretches to information collected on EU Members. As companies continue to stretch their arms into the global marketplace, the time to take GDPR seriously is now.

 GDPR states that if you collect any of this data on EU members you must comply with the regulation:

  • Name
  • Identification number
  • Email address
  • Online user identifier
  • Social media posts
  • Physical, physiological or genetic information
  • Medical information
  • Location
  • Bank details
  • IP address
  • Cookies

The penalties for non-compliance could be rather steep should the EU choose to enforce them.

Depending on the nature of the infraction:

  • A warning in writing in cases of first and non-intentional non-compliance
  • Regular periodic data protection audits
  • A fine of up to 10M Euro or 2% of annual worldwide turnover from the previous year
  • A fine of up to 20M Euro or 4% of annual worldwide turnover from the previous year

 Since this regulation has the potential to affect so many organizations, I think we are going to see some interesting shifts in the data world in 2018.

 

Data collection must become more transparent

 

GDPR says that data should be processed lawfully, fairly and in a transparent manner. People want to know what you are doing with their data. GDPR will require companies to communicate this information. While many of us don't read the fine print when accepting terms and conditions, companies will need to publicize what they intend to do with your data.

Companies will no longer be able to collect your information and use it however they want.  At the moment when they collect that data that will need to indicate what it will be used for and for how long.  Additionally, as listed below in individual rights, companies will have to address more ways that individuals can interact with the data that companies have collected on them. 

Spam will decrease

 

GDPR says that data should be collected for specified, explicit and legitimate purposes. It also says that data should be adequate, relevant to what is necessary.  Some businesses collect data for the purpose to sell it off to other companies while masquerading as a legitimate business.  GDPR should allow us to see a decrease in this activity.  

Other companies have no malicious intent with your data, but they collect information and hold onto it in the case that they might find it useful information later. With GDPR, companies will have to limit their data collection to only what is necessary and state exactly how that data will be used.

GDPR also says that data should be kept in a form which permits identification of data subjects for no longer than is necessary.  

 

Data will become more secure

As we have witnessed with over 25 large scale breaches in 2017, companies have not been responsible about protecting individual’s data.  GDPR says that data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage. Under GDPR Data Breaches must be reported within 72 hours.   GDPR also states that sensitive information must be encrypted.

Most companies do not have very strong data security practices in place.  With the GDPR regulation companies will be motivated to increase their data security in order to avoid the penalties.

 

Individuals will have more power over their data

GDPR lists a variety of rights to the individual.  Companies will need to implement policies in order to accommodate individual rights.  With GDPR individuals will be able to:

  • Access the personal data that companies have collected on them
  • Correct any inaccurate information that has been collected
  • Request that all identifiable information be removed
  • Limit the way their information is processed
  • Move their data from one organization to another
  • Object to the way that their data is handled
  • Opt out of automated processing or profiling

While this will be great for individuals, companies will have to work to implement solutions that will allow for this behavior with their data.

 

How IDERA can help

IDERA has a variety of products that can help companies to prepare for GDPR.

Anonymous