When I ask you what password to use for an account you are about to create, what do you immediately think of? Your date of birth? Your son’s birthday? House address? Did I get it correctly? Of course! And fear not because I am also guilty of it, and we are not the only ones either, because according to Forrester (an independent research firm), nearly 30% of security professionals still use basic personal information as password reference. This means it will be the same for most of your clients and the people you do business with. These basic yet critical information are what the new GDRP compliance aims to protect first and foremost.
The EU General Data Protection proposed by the Europian Comission will take effect this year . This will not only affect businesses in the Europian countries, but US companies who are doing business with EU citizens as well. If you are a global enterprise who do so, you have until the 25th of May this year to be compliant or pay the hefty price of 4% of your annual global income or up to 4 million Euros, whichever is greater. You can learn a few steps to be GDPR ready here.
The new regulation is expected to change the way business enterprises around the globe will handle customer data, with primary focus on personal and critical information which includes but not limited to:
- Basic information such as name, date of birth, etc.
- Racial Data
- Sexual Orienation
- Biometrics Data
- Political Opinions
The whole GDPR context will be broad and complex to cover but it can be narrowed down to three major points.
What’s in it for the data owner?
1. Better Data Protection and Privacy – One of the most criticized requirement of the GDRP is to have businesses appoint a Data Protection Officer as either a data controller or data processor. The task of this person is to make sure monitoring of the data is done systematically in a regular basis. And yes! Data protection, the security of your customers sure need this kind of focus or it could cost you dearly! The intention of this requirement is good but the appointment will be an administrative burden to some. Here’s the thing, security awareness can never be covered by one person in an organization. Atleast that’s a what I believe. Have your whole team be involve in the awareness. They should not simply focus on the compliance but in knowing the importance of the data they are in trusted with. By simply being vigilant in the information that you are receiving on the daily basis, from emails, files, and what you click, it can already be a big start for the whole organization.
2. More Control on how Data will be handled – The regulation does not stop in making sure protection and privacy are at high levels of practice for businesses. Another main aim is to give the customers better control on how their personal data should be stored and processed. “Consent” will play the primary role before any processes will take place for the data your customers have provided. Should any breaches happen, businesses are under the obligation to notify the affected data owners once the severity has been determined. Thoughts on this?
3. Have more rights on Data shared – GDRP will give the data owner more rights on the personal information they have shared once it will take effect. This will include the right of access, meaning your organization must readily provide the personal records you have in store including the processes that it went through at the owner’s request. The right to have their data erased, should any personal security issue arise, and the right to have the data portable meaning at a request, they can have their data transferred from your system to another . This part has been quiet an issue amongst the EU enterprises as this is not a key player in cybersecurity practices. The commission however clarified that the significance of this will be more on the social interaction between the clients and the enterprises. Interesting! This means aside from the client’s welfare, the GDRP also places importance on the businesses set to comply to the regulation.
Wether or not the new GDPR compliance affects you directly, you can very well consider its standards as the standards of your company. Improve your data security and protection, which ultimately results to better relationship with your clients and the people you do business with.
The increasing amount of data breaches and ransom demands has been very alarming lately, we cannot afford anymore to be mediocre, leave our doors unlocked and windows fully open. Keep checking, innovating, adapting.
You are a critical part in maintaining the Global Security Hygiene!