The General Data Protection Regulation Poses Challenges for U.S. Companies
The General Data Protection Regulation (GDPR) plans to set a new standard within the next year to safeguard the personal data and privacy of European Union citizens, according to CSO. The GDPR pertains to businesses that store or process personal information within EU member states. As such, these businesses must adhere to its provisions, even if they do not have a business physically located in the EU. Proper security systems and processes will be necessary to meet the strict new GDPR rules and avoid costly fines. However, U.S. businesses may be met with a number of challenges when working to achieve compliance.
Data Protection Challenges
The new GDPR standard may cause some concern for U.S. business security teams, as the rules encompass “a wide view of what constitutes personal identification information,” CSO says. For instance, on top of protecting a user’s name, address and social security number, businesses need to provide equal protection for a user’s location, IP address and cookie data. Moreover, security teams may find it difficult to determine how robust data protection initiatives should be in order to stay compliant with the GDPR. This is because GDPR wants businesses to offer a “reasonable” level of protection for personal data, but its guidelines do not specify what constitutes as reasonable, according to the source. Despite this ambiguity, businesses will need to implement proper security initiatives to show GDPR compliance by May 25, 2018.
Furthermore, under GDPR provisions, a company’s data controller, data processor and data protection officer are responsible for compliance. This could lead to other concerns, as the GDPR holds both the company and its provider “liable for penalties even if the fault is entirely on the processing partner,” CSO points out.
Additionally, security teams must not take more than 72 hours to report a data breach to supervisory authorities and affected users, which may pose as a challenge for some businesses.
Businesses that are not in compliance with the GDPR may face heavy penalties of up to 20 million euros or 4 percent of annual turnover, depending on which is higher, according to the source.
CSO makes several recommendations for GDPR readiness. For instance, businesses can relay urgency for cyberpreparedness and data protection from top management, involve all stakeholders to meet GDPR requirements, perform risk assessments and test incident response.