April 14, 2016 will be remembered as the ”D-Day” for data privacy, when the European Union (EU) Parliament adopted the General Data Protection Regulation (GDPR). Praised by citizens and feared by companies, the GDPR will unify data protection laws in all 28 EU countries and create a backbone for EU data protection rights for all EU citizens.
Companies now have a two-year compliance window before facing massive fines if their data protection processes fail to meet the GDPR’s standards. Meanwhile, companies have plenty of reading to do if they’re to understand just how impactful these new data privacy regulations will be.
Five EU Data Protection Rights
Under the GDPR, the European Parliament has deemed citizens are entitled to a number of EU data protection rights that will affect how your company manages data, five of which include:
Right to be Forgotten
Companies will be obligated to delete a person’s data upon request, “providing there are not legitimate grounds for retaining it.” This is not a way to erase the histories of meaningful events or abolish freedom of the press, but rather to protect the privacy of individuals.
Easier Data Access
Companies will have to become more transparent about how they access and process people’s data, and customers will have the right to know in a clear and understandable way how their data is managed.
Right to Data Portability
Companies will have to make it easier for customers to transfer data from one service provider to another.
Right to Know When One’s Data Has Been Hacked
The national supervisory authority will require companies to report external and internal data breaches, as well as notify people whose data is hacked.
Data Protection by Design and by Default
Companies will have to build safeguards into their products and services early on in development, “and privacy-friendly default settings will be the norm—for example on social networks or mobile apps.”
Benefits to Citizens, Challenges to Companies
These beneficial rights of citizens pose major challenges to companies that collect and store personal data. The GDPR applies to all service providers, regardless of their registered headquarters, as long as they have at least one customer who is a citizen of the EU.
A lot of service providers use real data for application testing, but under the GDPR companies like banks and telecoms will have to ask customers for explicit consent to use their data in test environments, and citizens will not agree to their data being used in testing with unsecure databases. Additionally, unless customer consent is given, the GDPR will bar companies from sharing customers’ private information with third parties, such as application vendors or testing partners, potentially outside of the EU.
These changes make it extremely important for IT organizations to start looking at their testing practices. If any real personal data is used for testing, it’s high time to start protecting customers’ data and embark on a Test Data Privacy project to ensure compliance with new EU data protection regulations.
What’s at Stake?
Apart from losing credibility, companies failing to comply with the GDPR will face fines up to €20 million or 4 percent of annual worldwide turnover—whichever is greater.
Many organizations have already accepted the gravity of how EU data protection rights will affect them, making an effort to adhere to the GDPR’s new standard of data protection in the EU, despite the two-year window available for compliance.
These organizations that wish to stay competitive are implementing processes and systems like application auditing to prevent internal data breaches alongside efforts to combat other forms of exfiltration. Is your company?
The point of the GDPR is to give your customers rights to make them feel safe. As one of my readers put it, in the future it’s possible we could see security ratings given to businesses, just as energy efficiency ratings are given to the appliances in your kitchen. And, believe me, it will matter to your customers that you have a good rating.
Your customers will have a slew of options as to where they wish to conduct their business, and they will go with whichever company is doing the best job to securely manage customer data. Ultimately, part of the criteria for being a major competitor will be how strictly your company complies with the GDPR. Will it be your company, or your competition across town that EU citizens decide to trust?