Some executives are looking at May 25, 2018 the same way they might look at an open tiger cage or the rushing wave of an approaching tsunami.
On that day The European Union (EU) will begin enforcing the General Data Protection Regulation (GDPR), fundamentally changing the way companies can legally store or process the personal information of European citizens: approximately 510 million people. Motivated by the desire to unify data privacy and collections laws throughout EU member states, GDPR applies to any business collecting data on EU citizens in EU member states. Crucially, this applies even to businesses who do not have a physical presence in the EU.
To many companies on both sides of the Atlantic, GDPR is poised to become a huge financial and public relations nightmare:
20 million euros OR 4% of annual sales—the fine for failing to comply with GDPR (whichever is more).
$23.5 million—the U.S. dollar equivalent of 20 million euros at time of writing.
72 hours—the maximum length of time before a corporation must notify a regulator of a data breach, significantly shorter than most U.S laws.
2%—of global revenue, the fine for failing to notify a regulator of a breach within 72 hours.
Faced with such huge penalties enterprises, especially in the U.S., have become paralyzed:
2/3—of U.S. companies are reconsidering their European business strategies.
61%—of U.S. businesses have not begun preparing for GDPR.
50%—of U.S. businesses are estimated not to be in compliance with GDPR when it goes live.
U.S.companies may be nervous or outright terrified, but GDPR may be fulfilling a significant need in the online marketplace, which has been marked by eroding trust:
67%—the percentage of respondents in Eurobarometer’s 2015 survey expressing concern about their data privacy.
68%—the percentage of respondents in Gigya’s 2017 survey expressing concern about brand usage of their personal data.
81%—percentage of American respondents in Deloitte’s 2016 survey who felt they have lost control of their personal data to companies.
Despite conflicting findings, millennials—the generation beginning to truly dominate the digital world—also appear to be clamoring for GDPR’s consumer protections and a rebuilding of online trust:
80%—the percentage of millenials who consider it important that their personal information only be shared with those they authorize, according to the Atomik Research 2015 survey.
40%—the percentage of millenials willing to give a summary of their shopping habits for free products.
54%—the percentage of millennials who believe that government failure to improve online security will further erode public trust in online goods and services.
Some experts state that Information Governance and Administration may help companies with their GDPR compliance; IGA solutions prevent unauthorized disclosures or alterations of data through monitoring user entitlements to databases. Other contend that more general identity management tools can help with the lawful processes and privileged administrative controls should help. In either case, GDPR is a wake-up call for companies to look at the data they collect, who can see it, and how to best secure it for the future.
If you are feeling the pressure, and don’t know where to begin with compliance, you can check out the GDPR Compliance Checklist: A 9-Step Guide, courtesy of AlienVault.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021