If you’re like many of us, reading that title probably brought a flashback of tens if not hundreds of emails you received towards the end of May. It seemed like every service that you subscribed to, some website you bought your brother a gift from 5 years prior, had to tell you that they were updating their terms and conditions. What was that about?
Depending on your world view, you may have an enthusiastic or a rather dim view of the European Union. One area that the EU considers itself to be on the forefront of are privacy regulations, especially those concerning the Internet. At this moment, the EU covers some 508 million people, giving it the world’s third largest population, after China and India. This means that regulatory changes made in the EU have wide ranging effects for other users of the Internet. Those updates to terms and conditions that many of you received are the result of exactly this sort of regulation, the General Data Protection Regulation, or GDPR.
The GDPR was passed in 2016, but the EU provided businesses a two-year period to implement policies around the new regulations. Essentially, the law provides a host of rights to consumers, and regulations for businesses concerning what they can do with customer data, and what they have to do to secure that data.
We have written previously about data breaches, like those at Equifax and Yahoo. Any time this type of breach happens, information that could potentially identify consumers has fallen into the wrong hands. It could then be used to steal someone’s identity and commit a litany of other crimes. The intent of the GDPR was to modernize European data protection regulations to keep pace with the changing ways people use the internet, and the new ways that companies providing services online take advantage of consumer data. The full text of the law clocks in at 88 pages, and at this time only effects companies that do business in Europe, but gaining an understanding of the basics of the law provide a glimpse into the coming trends in data security compliance.
Under the GDPR, a whole host of data utilized by service providers, like Facebook and Google, is classified as “personally identifiable.”
This means things like your name, credit card numbers, or home address—but it also means things like a phone number or IP address. Additionally, consumers have the right to request this data, free of charge, from any company that possesses it. The company, in turn, has a month to turn the data over to the consumer. On the business side, the regulations codify compliance with data protection and privacy law, and lay out a fee structure for companies that are found to be out of compliance with the law. This means that the privacy of user data must be baked into new services and applications, so-called “data protection by design and default.” Now, I know that all of you took the time to read those emails with the updated terms and conditions, and compared them against the previous terms and conditions you had agreed to, right? This provision of the law was the one that resulted in some relatively substantial changes to the manner in which companies secured customer data. Data is to be made secure and non-public by default, meaning that consumers must actively opt-in, rather than opt-out.
What does this all mean? At this time, the United States has not adopted laws similar to the GDPR, but they could be coming. Any United States based organization that does business in the EU must now be compliant with the law. Finally, the security of your customer’s data should be of great concern to any business owner, not just those subject to the GDPR and your internal policies are the starting point.