By Tim Critchley, CEO, Semafone
Since the beginning of the year, there have been 456 disclosed data breaches, which have compromised a combined total of nearly 8 million records in the US, or roughly 17,000 records per day. Those numbers comes from the Identity Theft Resource Center’s ITRC 2017 Data Breach Category Summary Report.
Yet despite continued breaches, the US still has no single, comprehensive, national law regulating the collection and use of individuals’ personal data. Instead, they rely on a patchwork system of federal and state laws and regulations that sometimes overlap, and at other times outright contradict each other. This makes it increasingly difficult for individuals to control where, when and how their data is processed.
Developed with the goal of creating a comprehensive framework across the European Union, the GDPR will better protect EU citizen’s personal data and also simplify business rules for companies operating there. What many US companies may not realize, however, is that they might also have to comply with this new EU data security regulation, since the new rules apply to any business that holds data about, or which markets to individuals within the EU. So even US based companies that hold or process data pertaining to any EU residents must comply with the GDPR.
And here’s the kicker… businesses that do not comply can face fines of up to 4 percent of their global annual revenue or €20 million (about $21.37 million)—whichever is greater—and may also have class action lawsuits brought against them by EU citizens.
Now before you panic, the GDPR doesn’t take effect until May 2018. But rather than waiting, I recommend companies start preparing now by taking the time to understand the GDPR’s requirements and plan accordingly to minimize risk.
The rollout and adoption of the GDPR is a positive move to define a very specific goal for data privacy for all global citizens, while also standardizing the necessary processes and requirements businesses need to meet that objective. And while it may not be perfect, the GDPR does create a new international guide for data security that IT security professionals should embrace.
The good news is that the GDPR may become one of the first truly global security frameworks, standardizing and simplifying business processes. This goes beyond even the scope of the Payment Card Industry Data Security Standard (PCI DSS), which is perhaps the closest thing to a global security requirement. While PCI DSS does include penalties for non-compliance, it is a self-regulated industry standard and does not carry the weight of a law.
While the transition may seem daunting, IT security professionals should take heart in the fact that the GDPR could finally be the toolkit needed to help their business ensure that the sensitive data of customers and employees remains stringently protected in a uniform manner, wherever it resides.
To learn more about the EU GDPR and what it means for the US companies, read my article in CMS Wire here.