Is North America Ready for The New GDPR Legislation?
What is the GDPR?
In 1995, the European Union (the "EU") adopted the Data Protection Directive (the "Directive") which regulates the processing of personal data throughout the EU. The Directive provides guidelines for the development of privacy law in the EU's Member States. Since the Directive acts as more of a guideline than an actual law, Member States were required to implement their own privacy laws. This order created an assortment of privacy laws across the EU that adhere to the basic principles of the Directive. On May 25, 2018, the General Data Protection Regulation (the "GDPR") will bring a single cohesive system of privacy regulation to the EU. The new system will strengthen the protection of individual privacy rights and simplify business rules for companies operating in the EU market. Any company, regardless of location, that handles the personal information and data of EU citizens must comply with the GDPR. This includes law firms in North America, should they handle the personal information of an EU citizen.
Why is the GDPR necessary?
Despite our own efforts to protect our personal data, significant amounts of our personal information are available online. Personal information that only we should know is sometimes shared with several online services. Many of us are unaware of this invasion of privacy while freely giving away our personal information in order to log into social networks or undertake online transactions. But what happens once that data has been obtained by services such as Facebook? The main concern is that the data will be sold and distributed without consent. The impending guidelines being introduced by the GDPR will provide EU citizens with more transparency about who has access to their personal information.
The Directive stipulates limited restrictions on the collection and retention of personal data, whereas the GDPR incorporates the "privacy by design" principles that are also recognized in Canada. The GDPR also contains additional accountability requirements, including but not limited to:
- Stricter data protection policies and procedures;
- Enhanced record keeping obligations;
- Requirements for data protection impact assessment for high risk activities; and
- Requ irements for stronger security measures matching the risk of data breaches and potential harm to individuals.
Implications for Businesses
Companies of all sizes that handle EU citizens' data will need to ensure the efficacy of their security capabilities. To address the operational challenges associated with achieving GDPR compliance, most organizations will need to undergo numerous changes. Businesses are concerned that their compliance with the most recent guidelines will come at a high cost, despite the GDPR making it easier for companies to ensure they’re in line with the law. The transition may seem like a lot of effort but by doing so, it will reduce the likelihood of a company falling victim to a large-scale data loss crime. Furthermore, it should become easier for companies outside the EU to do business with the bloc, as there will only be one set of rules to follow.
Why was the GDPR drafted?
One of the main factors behind the introduction of the GDPR is the EU's desire to bring data protection law in line with how people's data is being handled. Major firms like Google, Twitter and Facebook offer their services for free, as long as people offer their data to these tech giants, with consumers unaware of the dangers that lie within their consent. This can be illustrated by the ongoing Cambridge Analytica scandal, where 50 million Facebook profiles were harvested to influence the 2016 US election. Another driver of the GDPR is the EU's desire to give organisations more clarity over the legal environment that dictates how they can operate. By making data protection law identical throughout member states, the EU believes this will collectively save companies billions annually.
When will the GDPR apply?
The GDPR is a regulation, not a directive, and for that reason it will apply automatically in May, 2018. While the staggering majority of IT security professionals are aware of the GDPR, just under half of them are preparing for its arrival. According to a snap survey of 170 cyber security staff by Imperva, just 43% are assessing the GDPR's impact on their company and changing their practices to stay in step with data protection legislation. While the respondents were mostly US-based, they must still comply with the GDPR if they handle EU citizens' personal data. Companies like dealcloser, which already partner with leading, secure platforms, are among the most prepared for the leap towards optimum privacy protection.
The GDPR is a crucial piece of legislation that gives people more rights over what organisations can do with their information. Depending on how much focus businesses put on customer privacy, complying with the GDPR might be a simple step or a lengthy undertaking. In any case it is a step in the right direction from which all parties benefit.