We're just over a month away from the commencement of the EU's GDPR, or General Data Protection Regulation.
In a nutshell, GDPR is aimed at providing EU consumers with more control over their data. From portability to erasure, EU citizens will be able to better understand, in lay-person terms, how their data will be collected and used.
GDPR is not reserved for EU businesses that collect EU consumer data, but rather any organizations that collect EU consumer data will have to abide by GDPR.
One of the best examples of a company that has been actively preparing for GDPR is Box. Alex Hickey of CIO Dive recently spoke to Crispen Maung, VP of Compliance at Box, about what the company has been doing in order to prepare:
- Box has spent the last two years studying existing data protection protocols and regulations, like ISO and HIPAA.
- In addition, the company has been actively engaged with regulators to ensure Box would be ready when the switch flipped on May 25, 2018.
So why does this matter to US-based companies? There are many reasons why we see this as an important piece of regulation to monitor. Most of our clients do not have exposure to EU consumers, therefore they have no need to adopt GDPR-compliance practices. I believe, however, that US regulators will evaluate GDPR's impact to determine whether it's appropriate in whole or in part here in the US.
Data Protection Officers
The Data Protection Officer (DPO) becomes a mandatory enterprise security leadership role for all companies who collect or process EU citizens' data. While US-based companies don't need to have one under law, having leadership level expertise overseeing data protection strategy and implementation will be an important safeguard. The DPO could be someone who adds the role to their existing responsibilities or it could be a completely separate position within the organization. Either way an individual qualified in information security should be in this role.
There are financial impacts with GDPR. Companies required to comply who violate the rule could face a penalty up to 4% of revenue. While many US companies are not required to comply, understanding the magnitude of penalties for data breaches may be a catalyst to implement more rigorous oversight.
A second financial impact will be lost ad revenue. If customers choose to keep their data private, then GDPR will impact targeted ad spending which will lead to lower ad revenue. In the US, there's a growing tide of negative sentiment around the sharing of data without users' permissions. While any regulation remains to be seen, users have become more aware and a portion will put safeguards in place to protect themselves.
Private customer data may also result in fewer tailored customer experiences, because companies will no longer have the specific data elements needed to create them. For those companies not yet under the regulation, there's a need to innovate around customer experience that doesn't rely on data which may be kept private in the future.
The GDPR regulations will surely usher in an emergence of outside GDPR auditors and consultants. This will add another layer to vendor management and institute the need for additional safeguards. Companies who don't fall under GDRP might be well advised to solicit third-party input into their own data management strategy as a pro-active measure.
As we know, tech innovation has made our global society more interconnected. These innovations have led us to produce a lot of data daily. In 2013, IBM calculated that every day 2.5 quintilllion pieces of data are created. Another statistic I've seen estimates that over the next 3 years humans will produce almost 40 zettabytes (40 trillion gigabytes) of data made up of photos, likes, posts, tweets, later-grams, online orders, payment card information, digital health records, shopping history and habits, etc. It's a treasure trove of data which is why companies like to monetize it and hackers like to get a hold of it. By giving consumers more control over their digital footprint, GDPR is forcing companies to better manage how they obtain and use their customer data. Not that I want to incite a firestorm but I'm curious what the DLT experts see as an option, if any.
Clearly there are a lot of moving pieces here but one thing is for sure: consumer data is very valuable. I'm intrigued to see how GDPR is received and regulated. Coincidentally, GDPR is rolling out at an interesting time. We've had massive data breaches, unauthorized data scraping, and fraudulent account opening activity. Arguably, GDPR is late to the game. For most of us our data and PII has been compromised for years and decades.
My question is not how long should my passwords be but rather what how do I protect and present my identity so I can transact both digitally and in-person? I have a feeling this time in our life will be a future lecture point or course in school.