As of May 2018 a new law by the European Union will be in effect, the so-called General Data Protection Regulation (GDPR). The GDPR aims to protect all EU citizens from privacy and data breaches. It is based on the first 1995 directive regarding data protection, but has been updated in order to meet the demands of the data-driven world we currently live in. The law has quite some effects for companies, and not only for ones based in Europe (EUGDPR, 2017).
In fact, it applies to all companies processing data of subjects residing in the European Union. In other words, every firm that has one or more customers, suppliers or any other data subjects that live within the European Union is affected by this new law. Compliance to the newly enforced standards is mandatory or massive fines will need to be paid. A breach of the GDPR can be fined up to 4% of annual turnover or €20 million, whichever is greater (EUGDPR, 2017).
A large number of organisations is speaking about the need to comply with GDPR. However, if they take the approach of compliance is all that matters, they are bound to fail. Firms focusing on compliance are likely to be ineffective and they wrongfully think they are on the right track when it comes to security. Sure, they will be able to tick a few boxes along the way, but they will not be protected properly from a data breach nor the impact that such a breach would have. Instead, data protection should be at the heart of a firm’s strategy. There have been many compliant organisations that still encountered issues with data breaches, making them have to deal with all the ugly consequences (Tucker, 2017).
Data protection is not new, but the EU regulation is. However, corporate objectives should be aimed at protecting data and not at complying to the law. A true approach should be embedded in the business and with this central approach, compliance will come by itself.
References:
EUGDPR. (2017). GDPR Key Changes. Retrieved October 15, 2017, from http://www.eugdpr.org/key-changes.html.
Tucker, E. (2017). GDPR for the CIO: Data protection is about more than GDPR compliance. Retrieved October 15, 2017, from http://www.computerweekly.com/opinion/GDPR-for-the-CIO-Data-protection-is-about-more-than-GDPR-compliance.
