What is (GDPR) – General Data Protection Regulation?
The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive and goes into force on May 25, 2018. It also supersedes the 1998 UK Data Protection Act.
The Emergency of EU GDPR
The General Data Protection Regulation (GDPR) comes into force today and is the biggest shakeup to data protection rules in decades, forcing companies to make significant changes to ensure GDPR compliance. Organizations are faced with the daunting task of restructuring all of the personal data they possess in a way that can be easily erased, rectified and accessed—all while adhering to robust security standards. Failure to do so threatens maximum fines of €20m or 4% of global annual turnover, whichever is higher. For some of the world’s largest companies, those fines could hypothetically run into the billions.
As well as providing extra data security to individuals, which were a subject of considerable attention in the wake of the Cambridge Analytica scandal, it is creating opportunities for technology companies to provide services that simplify and secure data management. Technology may have created the need for GDPR, but many are seeing it as the solution. There are many essential items in the regulation, including increased fines, breach notifications, opt-in consent and responsibility for data transfer outside the EU. As a result, the impact on businesses is huge and will permanently change the way customer data is collected, stored, and used. GDPR applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. Many organizations outside the EU are unaware that the EU GDPR regulation applies to them as well. If an organization offers goods or services to or monitors the behavior of EU residents, it must meet GDPR compliance requirements.
One of the upshots of GDPR is that it is driving innovation in artificial intelligence to provide solutions that can tackle this problem. IBM, for example, has developed an automated system that uses a type of AI known as cognitive computing to scan data caches and index findings. It then automatically completes tasks such as user data requests, which is now permissible under the new legislation. AI programmes can also save companies much of the heavy lifting by automating the discovery of sensitive data and risk analysis so that any gaps in compliance can be addressed.
GDPR makes direct reference to automation, stating that an individual has the right to know when and how it is being used to make decisions when processing their data. Under GDPR organizations must ensure they have robust security in place and are required to report certain types of data breaches to the relevant supervisory authority within 72 hours. Article 32 calls for the encryption of personal data, which has created an opportunity for cybersecurity companies to capitalize on this legislation-driven demand.
Fines for noncompliance are large. They can be as high as €20 million or 4% of a company’s total global revenue, whichever is larger. This is the maximum fine that can be imposed for the most serious violations, e.g. not having sufficient customer consent to process data or violating core Privacy by Design concepts. However, there is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors. Egnyte helps customers achieve GDPR compliance by placing industry-leading content collaboration and data governance at the core of their strategy. Our SaaS solution shows exactly where data resides across a network, identifies personal/private and sensitive data, and reports that information quickly and efficiently as required.
This question originally appeared on Quora – the place to gain and share knowledge, empowering people to learn from others and better understand the world. You can follow Quora on Twitter, Facebook, and Google+. More questions:
- eugdpr: The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
- Forbes: What is the General Data Protection Regulation?
- Verdict: How technology is being used to aid GDPR Compliance