The EU GDPR ? Making Waves on Both Sides of the Atlantic
Today, we are in Aarhus, Copenhagen, at a conference about the new European Union General Data Protection Regulation (GDPR), hosted by our partner NNIT. This is an exciting event, as the EUGDPR has generated a significant amount of media attention on both sides of the Atlantic.
So, why the big fuss about another European regulation? Well, to start - it's not just another regulation. Legal experts argue that the GDPR will be the most significant piece of legislation to affect the European Union in the past two decades, as the law will unify and standardize data privacy and security obligations across all of the 28 EU Member States. This law will also govern personal data collection and deletion practices of non-EU organizations that conduct business with EU member states.
The GDPR has some very important provisions:
- Corporations must now have protocols in place to identify and secure Personally Identifiable Information (PI) in their systems. They must also respect an individual’s 'right to be forgotten' when customers or employees request that their data be deleted.
- Companies must immediately disclose to relevant officials when data breaches have occurred.
- Companies must also appoint Data Privacy Officers to help ensure compliance with the GDPR.
While the regulation clearly has far-ranging reach, the vast majority of companies are not fully aware of the operational and IT changes that need to take place to ensure compliance with the law. The scary part is that non-compliance with the GDPR could potentially cause a company to cease business operations with fines for non-compliance ranging up to 4% of yearly company revenue or 20M Euro, whichever is greater.
As a Product Manager at Metalogix, I routinely interact with customers who look to our solutions to solve particular data governance and compliance needs. But compliance often carries a passive, 'check the box' mentality - those tasked with implementing compliance solutions often only care about their deployment. Data audits driven by compliance are also scheduled infrequently, or only when certain legal obligations demand. That type of compliance does not carry an 'active' security posture, where processes and systems are routinely monitored for potential vulnerabilities. When your SharePoint permissions are woefully out of date, and when you don't know what data your users have access to, you run some serious risks of your own employees accessing PII, PCI, PHI or intellectual property that they frankly shouldn't be seeing. That's a major security risk, especially if an external actor has compromised an authorized user's credentials and has gained access to your systems.
Organizations must routinely take inventory of what data they hold, where that data exists, and most importantly, who can access what. I'm constantly surprised by the number of customers.
who simply don't know where all their PII resides inside of their active and legacy systems. That's part of what the EU GDPR is designed to do - it will now force companies to take a thorough, top-down examination of where they store personal data, and help ensure accountability for when breaches occur.
Stay tuned for more updates!