Do you know how your personal data is used and exchanged by Facebook or Google? How would you feel if you saw your personal information was exposed to a digital marketer and who continued to bombard you with promotional offers you're not interested in? Whether you like it or not, this is how it works today. Your personal information is there to be used by anyone who can pay a small amount of money or who's capable of doing some kind of hacking. Do you ever think about why someone wants your personal information when you register for some kind of service?
In first six months of 2017, more than six million personal records were exposed through data breaches. They cost millions of dollars for organizations today and will continue to in the future. Trust and confidence are the most important factors in today’s businesses. 70% of customers report that they'd be less inclined to work with a business that had a public data breach.
From the above facts, it is evident that data protection is not only important to customers but also to businesses. Even though business leaders understand the value of the data, that understanding hasn't translated into careful data stewardship. But with the impact we've seen data breaches have on other businesses, the public is now keen on having better protection to their data.
General Data Protection Regulation (GDPR) provides the much-needed kick in the *ss to many businesses that have become complacent about data security. All the businesses dealing with data regarding EU citizens (both inside and outside of the EU) need to comply with this regulation by May 2018. GDPR is the successor to the previous regulation data protection directive, which was introduced in 1995.
Even though this is a forced regulation, it has many useful things that any business can use for their benefit.
Forcing Awareness of the Entire Data Web
Business leaders are forced to understand their data landscape no matter if they're a small company or a large multinational company with subsidiaries and hundreds of partners. All the incoming and outgoing data must be well-understood.
- If the business has subsidiaries and partners, the entire data web needs to be well-understood.
Demanding Knowledge of Data Sources and Origin Countries
Every data source (i.e. partners, customers, subsidiaries) feeding data into an organization must be vetted and documented.
GDPR is the first global data protection law.
- Applies to any business that processes data about EU citizens.
Advising Data Minimization
Companies must state a planned use for all the personal data they obtain. It's recommended to use data that is absolutely necessary, with no additional data to be used for future.
Not holding data for any longer than absolutely necessary.
Not changing the original purpose of the data capture.
- Deleting any data at the request of the data subject (customer).
Spotlighting Data Sharing
- Data in transit needs to be properly secured.
Businesses must be able to document appropriate security measures for every step in data’s lifecycle.
- Requires clear, affirmative consent of use of EU citizens' personal information.
Lack of response is not considered automatic consent.
Breach Monitoring and Response
- Breach notifications need to sent within 72 hours of breach detection.
Breach policies need to be carefully set up with partners and well-documented.
Even though this looks like something annoying for a business, it really has some good things that can provide benefits to any company. This regulation provides the careful design of your business data and avoids keeping unnecessary data within your organization and thus reduces operational expenditure.
In addition to the above-mentioned points, see this link for a list of major changes that are coming with the GDPR.