GDPR is coming soon
As the world becomes more digitally available, people are more prone to use the internet for daily tasks. Such does create a rather unique and gatherable set of data that represents who you are as a person. Many people can be identified by Personal Identifiable Information (PII), such as credit card numbers, social security numbers, birthdates, addresses, and so forth. Many do not realize just how much information is currently available to those that are willing to do a search. In April of 2016, regulations were passed in the United Kingdom to help monitor and protect the British populace. This included a buffer of time to implement the new clauses, and must be complied with as of May 2018. Some of the affected services are search engines, e-commerce platforms, and even cloud computing devices. The legislation is referred to as the General Data Protection Regulation (GDPR), and is a directive designed to regulate and tighten digital security for all British citizens. The protection also extends to the European Union, making a large group of countries and citizens part of this Regulation.
The precise nature of the GDPR is to monitor the application of EU and British citizens’ personal data and PII, ensuring that informed consent is required for any gathering of such information. The same is required for using that data, regardless of where in the world the use is being made. Clauses are drawn up for the unlawful processing of this information, with mandatory risk assessments for both in-house and cloud-based computing of this information. Fines for mishandling information or not complying with the clauses of the GDPR can be as high as five million euros or two percent of a company’s total worldwide annual turnover based on the previous financial year. This costly process is intensive and comprehensive concerning the security of both British and EU citizens- but many businesses are not yet ready. Time is dwindling, and the cost of both compliance and non-compliance are staggering.
New security measures
In the past, some protection was offered by the governments in the EU, but were not particularly standardized or enforced. Prior to the GDPR, legislation was from far earlier in the life of the internet, well before such issues as PII were even a consideration. It was an outmoded and obsolete set of legislation that was due for a replacement. The new legislation is far stricter, and focuses on not only the gathering and application of this information, but where it is processed. The central idea of protecting PII is apparent throughout the GDPR, extending protection of the law to the information as well as the person it refers to. Unlike previous protections, PII has the same rights and protections as the people that made it. This information can be stored in a variety of ways such as a database or even through cloud computing, moving in an instant across the globe.
The mobile nature of the information is a large part of the GDPR. Individuals that create PII are required to give informed written consent to the entity holding that information. The permissions can be revoked at any given time, withdrawing a company’s right to store or use information on a given person. Another wrinkle for many businesses is the extension of this law in a global market. Because of how quickly information can be sent globally, the information itself has the protection of law. Regardless of where it is stored or processed, the creator of that information must give permission for both storage and use. If a company is multi-national, such is no longer a loophole. For any business dealing with the EU, as of May 2018, this becomes a serious consideration. Complying with these requirements means creating access points for all those with information stored, one that is free from any regulation beyond the law. Citizens must have the ability to see precisely what is being stored, and have the ability to get the information removed at any time. Internal security measures must allow this information to be searched, reviewed, and edited at any time by the user instead of within the company. Additional risk assessments to ensure this system is viable are also required. Such means that a company must not only set up a new access system, but also monitor it stringently or face significant fines.
The GPDR outlines various guidelines to adhere to including a direct accountability and reporting requirement for every person or entity that is part of the information chain. GDPR also has the requirement of certified experts available at all times to represent the legislation within a company. Individuals who are experts on the various aspects of the GDPR and are available at any given time to discuss personal concerns. This expert must be available to both consumers and employees, as both are equally important in protecting information. This officer is directly responsible for reporting to the governing bodies about any breaches, potential loss of information, or situations that cause concern. If compliance is not met, any business can lose significantly.