I think it’s time for a somewhat more balanced and optimistic view of the EU’s impending General Data Protection Regulation (GDPR). When the new regulation takes effect in May 2018 it will eliminate the confounding thicket of outdated local rules that has grown up under the 1995 Data Protection Directive. It will replace them with a single, uniform mandate that enhances the rights of EU data subjects and clarifies the privacy and security obligations of organizations that hold and process personal information.
The industry response to GDPR has, to date, been long on doom and gloom with a fair amount of FUD (fear, uncertainty and doubt) thrown in for good measure. It has obsessed on the increased compliance burden for organizations processing data and the far higher penalties of non-compliance. This is entirely understandable, because the new regulation’s scope is broad and its impacts far reaching. GDPR will:
- Expand the rights of EU citizens to access, rectify and erase their personal data, even if data processing does not take place in an EU Member State
- Obligate data controllers and processors to implement technical and procedural measures to secure all personal data
- Limit and define the specific circumstances in which personal data may be collected and used, including stricter requirements for demonstrating consent and enabling its withdrawal
- Require data controllers and processors to incorporate privacy protections by design/by default in their products and business operations
- Make organizations accountable for demonstrating that appropriate privacy safeguards are in place to ensure compliance
- Require prompt reporting of data breaches to supervisory authorities and individuals
- Establish fines for non-compliance of up to €20 million or 4 percent of total annual turnover of the preceding financial year, whichever is higher
But as one security professional to another, let me ask you this: aren’t these requirements entirely consistent with the best practices to which we already hold ourselves? Aren’t these the same goals we set for ourselves? Don’t we seek to secure the information we use and to protect the rights and privacy of individuals? Don’t we lie awake at night worrying about the financial and reputational havoc that a serious data breach could wreak on our organizations? Don’t we already do everything we can to protect our business, our employer, our colleagues and our customers alike?
And what holds us back? Why do we sometimes fail? Isn’t it often a lack of resources, a shortage of executive support, a business strategy that invests first and foremost in bottom line growth, profitability or Earnings-Per-Share and only as an afterthought in information security?
I believe that GDPR may be exactly what we need to finally get our managements’ undivided attention. It outlines privacy and security priorities we can easily match against our own lists of known needs and vulnerabilities. It gives us a ticking clock against which to measure our progress. It gives us a financial incentive no CFO can ignore. Maybe it even gives us both the carrot and the stick we need to get that extra headcount or budget we need to deliver at the level we have always wanted to.
So, enough of the negativity. GDPR is an opportunity; let’s not let it go to waste.