GDPR is a Year Old – do you Know Where your Customer Data is?
Tue, 05/28/2019 – 00:09
Personal data privacy has become the mantra of the connected world – and with good reason. People are increasingly worried about who has access to their data and how they’re using it. That’s why the European Union enacted the General Data Protection Regulation. Better known as GDPR, it took effect one year ago this month.
Under GDPR, businesses can collect only the data required for the efforts to which people have agreed. Organizations must explain why they are collecting what data and note with which other organizations they may share it. GDPR also requires businesses to alert EU residents within 72 hours if there’s a breach. These organizations also have to correct, delete and/or provide lists of their collected data at customers’ request.
GDPR is already a worldwide phenomenon
GDPR is an EU law. But this isn’t just a European thing.
This ground-breaking legislation is making waves across the pond and around the world.
The aim of GDPR is to give people in the EU more control of their personal data. But while the people GDPR is empowering live in the EU, the businesses that need to comply with GDPR can be anywhere. If a business touches the personal data of an EU resident, that organization must comply with GDPR or suffer the consequences. Businesses found in non-compliance with GDPR stand to be fined 4% of their annual revenue or up to $22.4 million.
Regulators in the EU have demonstrated that they’re serious about policing GDPR. French regulators recently moved to fine Google $57 million for GDPR non-compliance.
It’s also noteworthy that GDPR has prompted legislators far beyond Europe to address personal data privacy. India has been working on data protection regulation, which was inspired by GDPR. Many U.S. states have created or are trying to create personal data security rules, too. The California Consumer Privacy Act, which takes effect in January, is one such example.
And most Americans are aware of GDPR
In celebration of GDPR’s one-year anniversary, nCipher Security surveyed Americans about this ground-breaking legislation. Our research indicates that just more than half of Americans have at least a general idea of what GDPR is about.
That’s significant, considering the nCipher survey group consisted of Americans and GDPR applies to EU residents.
They care about personal data privacy
Clearly, Americans are passionate about personal data privacy. More than half (52%) of our survey group said data privacy is important to them. In fact, 41% said protecting their personal information is their top concern.
Protecting personal data was a top concern for a good share of both male and female survey participants. Forty-five percent of women said protecting their personal information is the most important thing to them. About a third (37%) of the men said they feel that way.
However, they question business transparency
Unfortunately, most Americans (64%) don’t feel that organizations are completely transparent with how they use their customers’ personal data. And many have trust issues with the organizations with which they do business.
Almost half (49%) said they don’t trust companies to keep their private data secure. That may explain why 44% said they don’t want to share their personal data under any circumstances.
But there’s an opportunity to clear the air
Where there’s confusion and mistrust, there’s an opportunity to educate and build confidence.
That’s why organizations should look holistically at how they address privacy. They should be transparent with customers about how they’re handling their data. And they should implement repeatable processes to protect personal data in line with regulations.
Organizations can start by assessing their risks related to cybersecurity and personal data privacy. That can help them decide which data privacy and security controls to put in place.
Businesses need to have processes in place to locate and track, identify and classify personal data. That way they can demonstrate their compliance with personal data privacy and security regulations if needed. And they’ll be ready when they get customer requests for access to and correction and deletion of personal data.
It will require resources but with a big payback
The best strategy to address personal data privacy and security is a proactive one.
Such strategies should include:
- identifying key processes
- communicating them to customers and employees
- employing data security tools, including encryption, authentication (including multifactor authentication), and digital signing
Addressing personal data privacy and security regulations is a new challenge. But it’s an important one that businesses need to dedicate time and resources to address.
Organizations that adopt the appropriate tools and strategies to comply with personal data privacy and security regulations can avoid big fines, protect their reputations, and earn greater trust with – and, thus, more business from – customers.
*** This is a Security Bloggers Network syndicated blog from Drupal blog posts authored by peter-galvin. Read the original post at: https://www.ncipher.com/blog/gdpr-year-old-do-you-know-where-your-customer-data