One year ago, Yahoo learned of a data breach affecting some 500 million user accounts. Despite the breach not including customer payment information, the security violation cost Yahoo an estimated $350 million when it was forced to lower its asking price in negotiations with Verizon. As staggering a figure as that is, it still doesn’t take into account lawsuits, government fines and other fees resulting from the breach. In addition to data breaches, whistleblowers and leakers have continued to shed light on government programs aimed at accessing user information.
In light of the threats to personal information, the European Union recently unveiled the new General Data Protection Regulation (GDPR) guidelines aimed at protecting user data. These new regulations—which go into effect in May 2018—will have far-reaching consequences for any company that accesses and uses the personal data of European citizens, regardless of whether or not the company is based in the EU.
How the Regulations Are Changing
While the EU has always had relatively strong requirements for the protection of consumer data, the new changes focus on “conditions for consent, data subjects’ rights, the conditions for lawful international data transfers, specific obligations under national laws permitted by the GDPR, and orders by data protection authorities including suspension of data flows,” according to TechTarget. Consumers will also have the “right to be forgotten,” as well as the ability to take their data to whatever company or service they want.
In the event of a breach, companies will also have a finite amount of time to notify the appropriate authorities, as well as any customers impacted.
Companies that fail to comply will face hefty fines:
What Companies Must Do
To avoid costly fines and potential lost business, there are a number of steps companies should take to ensure compliance.
1) Start working toward GDPR compliance now.
Given the far-reaching impact of the new regulations, companies cannot afford to wait until they officially go into effect before complying.
2) Assess the security level of business critical systems
used for personal data storage and processing. Define a scope of business critical systems covered by GDPR requirements. Plan initial security level benchmark assessment in order to get enough valuable information on the current security level and work out how the systems can be improved in future from GDPR compliance perspective.
3) Start making privacy protection a core business component
For too many years, customer privacy has been an afterthought and bolted onto existing solutions in response to the growing threat of data thieves. As the GDPR illustrates, it’s time for companies to start thinking about customer privacy first and designing products and services around that fundamental principle.
4) Ensure your contractors and 3rd parties are aware of GDPR requirements
The software that you get as a result of offshore / nearshore development could be created without GDPR in mind. Therefore, its usage could lead to strict GDPR sanctions, causing reputational and material losses.
5) Implement a rapid response team and playbook
Because the GDPR requires companies to inform the EU government of data breaches within 72 hours, it is critical for companies to have a rapid response team and guidelines for them to operate within. This would include determining the scope of the breach and, most importantly, whether customer data was compromised.
6) Focus on standards
As the GDPR puts individuals in greater control of their own data, companies will increasingly be forced to turn over that data to the customers so they can take it to whatever service they choose. This underscores the importance of companies using accepted—and often open—standards that easily facilitate data sharing, as opposed to proprietary, closed systems.
Without a doubt, the GDPR represents fundamental changes to how companies interact with customers and their data. By taking preventative measures now, companies can be ready when the GDPR officially goes into effect.