GDPR, the new EU data protection regulation, is just around the corner. The amount of personal data stored by companies and governments has ballooned, and the value of that data has multiplied as more and more personal business is transacted on the internet. Identity theft has become far more prevalent. In addition to the disruption to businesses and the impact on customer loyalty that data breaches create, many jurisdictions are looking to bring their data protection legislation in line with the new, internet-based world – although unfortunately, not into alignment with each other.
However, there is a fundamental transformation underway. In the digital economy, information is the currency of exchange. And, information knows no boundaries. Harmonization of regulations that fosters the free flow of information while strengthening privacy and security rights is imperative for policymakers. Take the EU and US trading block as an example. The total value of goods and services between the two largest trading blocks is estimated at $5.5 trillion employing 15 million. Cross border flows between the EU and the US are estimated to be 50% higher than any other trading block. 65% of US investment in information technology is in the EU.
These troubling trends are prompting regulators to bolster data security and privacy legislation to impose stricter obligations on businesses and data controllers. The new European Data Protection Regulation (EU GDPR) is the most immediately visible evidence of what will soon be a tidal wave of national and industry information privacy and security regulations.
Historically the EU has had a high bar for privacy protection; privacy is considered to be a fundamental human right. Article 7 of the EU Charter of Human Rights stipulates that “everyone has the right to respect...private and family life, home and communications.”
As a response to advances in digital technologies such as big data, cloud computing, and predictive analytics, coupled with revelations of bulk data collection and profiling by intelligence services, the General Data Protection Regulation (GDPR) is a comprehensive overhaul of privacy legislation which considerably strengthens and expands privacy rights.
It spans more rigorous consent requirements data anonymization, the right to be forgotten, and breach notification, which could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year -- whichever is the greater -- being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover -- whichever is greater for the average Fortune 500 company, that puts fines in the range of $800-900M.
In our new e-book –Information Privacy and Security: GDPR is Just the Tip of the Iceberg, we focus on five key questions that should be on every C-level executive’s list of priorities: