Data breaches have increased dramatically over the last dozen years, according to research from the Identity Theft Resource Center. The organization recorded just 157 instances of unintended information loss in 2005. This past year, more than 1,300 of these events unfolded, resulting in the exposure of an estimated 174.4 million personal files. Why are breaches growing in volume? Technological progress. As digital infrastructure expands, hackers and cybercriminals discover news ways to infiltrate servers and swipe exploitable or sellable information. Unfortunately, breach figures are likely to increase for the foreseeable future, paralleling the rising number of active connected devices, which is expected to surpass 11 billion by the end of 2018, according to the analysts at Gartner.
The European Parliament in April 2016 passed new data privacy legislation in an effort to protect consumers from the emerging information security threats accompanying the advancement of consumer and enterprise technology. The law, called the General Data Protection Regulation, becomes enforceable May 25 and will transform how businesses worldwide manage data. Organizations here and abroad must prepare for the implementation of the GDPR in order avoid fines and marketplace blowback.
The development of the GDPR
The GDPR is a replacement for an earlier personal data directive passed in 1995, Wired reported. This legislation, which includes 34 separate articles, established ground rules for organizations leveraging early enterprise technology. It introduced bedrock data privacy themes such as the right to access or withhold information from entities, commercial and otherwise. While effective during the initial days of the digital revolution, the legislation became increasingly antiquated and ineffective. With this in mind, EU officials kicked off talks in 2012 with the objective of drafting updated data privacy regulations. These conversations concluded in April 2016, when the European Parliament and the European Commission passed the legislation that came out of the meetings. The EU Official Journal published the new law one month later, along with its official enforcement date of May 25, 2018.
The GDPR in practice
The GDPR attempts to bolster data security and privacy by facilitating regional cohesion, requiring enterprises operating within the EU to meet a single standard as opposed to multiple national laws. However, the standards established in the legislation are quite rigorous. Organizations with European customers and more than 250 employees must adhere to the GDPR. Firms with smaller staff rosters maintaining large data collection and analysis operations "likely to result in a risk to the rights and freedoms of data subjects" are also subject to the law, which includes 99 articles.
"The General Data Protection Regulation becomes enforceable May 25 and will transform how businesses worldwide manage data."
In general, the GDPR requires companies operating in Europe to develop and deploy formalized data processing and storage operations, all of which are documented and consistently updated to address new risks. The regulation also sets out stringent breach reporting requirements, dictating that businesses that suffer data losses must report such occurrences to designated authorities in the applicable EU nations within 72 hours. A number of common data types fall under the purview of the legislation, including biometric, health care, identification and political information, according to the International Data Group.
While the rules contained within the GDPR will certainly burden internal information technology departments, the EU has offered a documented pathway to compliance. It stipulates that data controllers and processors must work with data protection officers to create actionable security policies that meet the requirements set out in the new law. Firms that fail to comply with the GDPR can face fines of up to $24 million.
Many organizations began preparing for the implementation of the GDPR even before the EU Parliament passed the legislation back in 2016. ADP, the international management services company, was one of those early adopters, IDG reported. As the talks surrounding the regulation continued, IT and business leaders at the firm saw the writing on the wall and began reviewing data flow maps in an effort to gain a definitive handle on their information collection, analysis and storage workflows, and how they might be strengthened to meet higher legal standards. By the time the GDPR was published, ADP had made considerable preparations and could use the yearlong implementation grace period to fine-tune their new data security solutions.
However, a significant number of businesses have failed to make such preparations and are likely to receive notices of noncompliance come May 25. In fact, an estimated 50 percent of the enterprises subject to the GDPR are expected to receive such communications, the researchers at Gartner found. U.S. businesses are in particularly bad places when it comes to GDPR preparedness. IDG suspects most of the American firms that must comply with the ruling will fail to meet the May 25 deadline and be visited by inspectors who are likely to make an example of them. More than half of U.S.-based multinational organizations are aware of the GDPR and working quickly to ensure they can roll out new data privacy policies in the coming months, according to PricewaterhouseCoopers. Even so, EU inspectors are unlikely to reward effort, especially in light of recent highly publicized data breaches such as the Uber server intrusion, during which hackers made off with private information for more than 57 million users, Fortune reported. In November, data security specialists for the international coalition hinted that a formal investigation into the rideshare company's data processing activities may materialize, especially since the organization seemingly hid the breach from users for nearly one year.
Such events will be even more heavily scrutinized in the post-GDPR era. Even Equifax, which kept its 143 million customers in the loop as it handled the fallout from the biggest data breach in history this past year, would have failed to comply with the notification requirements included within the legislation, according to TechCrunch. With this in mind, organizations here and abroad must quickly evaluate their data privacy bylaws and processes, and quickly implement changes to ensure compliance with the EU's soon-to-be-enforceable information security law.
While policy rewrites and additional training might make compliance attainable, more significant changes are needed to truly protect customers in the golden age of the hacker. IT modernization is an effective solution, as newer hardware and software is more likely to withstand attacks and keep user data safe than older technology potentially filled with undetectable backdoors. The Inventu Corporation is here to help businesses that want to prepare for the GDPR by updating their IT systems. Our cutting-edge Flynet Viewer makes screen integration and IT modernization easy, meeting employer and staff expectations in a way that feels both familiar and simple. Connect with us today to learn more about the Inventu Flynet Viewer and the other solutions in our product portfolio.