After more than 4 years since the European Union started the journey toward new privacy rules, last week the EU Parliament adopted the final text of the new EU General Data Protection Regulation (GDPR). The EU will complete the long and controversial process that led to the new rules next month publishing the Regulation in the Official Journal of the European Union, but no changes can be made at this point. This leaves businesses with a 2 year period to get ready for its implementation or less. In fact, some EU countries, like France, will implement the new rules before 2018.
As a security and risk professionals, you must start working now to assess what the new rules means for your organization and make the necessary changes to technology, processes, and people. As you approach the task, keep in mind that the GDPR introduces important changes, such as:
- It applies to EU and NO-EU companies. Are you thinking that the GDPR is not your issue because your organization doesn’t have any presence in Europe? Well, think again! If you offer any products or services to the European market or if you collect data of European customers, the new privacy rules apply to you.
- Fines are up to 4%. As we predicted, the EU confirmed its decision to go for hefty fines: For breaking the law, companies will pay up to 4% of their global revenues or €20 million, whichever is greater. A fine of this magnitude could put many firms out of business.
- Data breach notification is a mandate. Organizations have 72 hours to communicate to the relevant data protection authority that they have suffered a data breach. Some EU countries, like the Netherlands, have this requirement already in place, but now companies operating all over Europe must set up their breach notification and response services.
- Companies must hire a data protection officer. Companies whose core activity entails regular and systematic collection of personal data on a large scale, as well as firms that handle sensitive data, must hire a data protection officer. This requirement is also in place for any public authorities or bodies.
- Privacy by-design and by-default are legal requirements. The times where privacy was an after-thought are gone forever. These new principles require that you integrate privacy requirements in the design of new products and services and that you process the minimum amount of personal data necessary to achieve a specific purpose.
Additional changes also include a mandate for privacy impact assessments, as well as introduce new customer rights such as “the right to be forgotten” and the “right to data portability”. Profiling of customers and direct advertising must rely on more transparent practices and customer consent. And, you will also need to review the relationship with third parties, as it has to reflect the new rules as well.
Tackling this new set of rules requires important changes for all organizations that handle customer data, but it comes with a golden opportunity for Security, Risk, and Privacy professionals. In times when privacy grabs the board’s attention and organizations are growing their privacy budgets, Security, Risk, and Privacy folks have the chance to elevate the privacy discussion from a mere compliance need to a business strategy for growth. In fact, Forrester believes that privacy is a means by which firms can build trusted customer relationships that drive loyalty, retention, and revenues.
If you have questions about the GDPR and how you can make privacy a competitive differentiator for your organization, reach out to us.