GPDR – The Mother of All Data Privacy or Not
Depending on who you ask, General Data Privacy Regulation (GDPR) is here to stay, and possibly at a very high cost. Sometime between May 20, 2013 and June 5, 2013 Edward Snowden, a former CIA (not the CIA triad) employee leaked thousands of classified documents detailing how the United States collected and used individuals’ private and personal data. These documents provided clear evidence that the United States was not doing enough to protect individuals’ data that may have been transferred from European countries to the United States. This point is very important because the release of these documents had far reaching implications.
Since 2000, under the Safe Harbor law, no company could be prosecuted for transferring data from the European Union (EU) to the United States because it was believed that the United States was providing proper protections for that data. The Snowden leak proved otherwise by providing direct evidence that the data was not safe. As a result a lawsuit was filed to challenge the Safe Harbor law. Based on evidence provided in the documents leaked by Snowden, the EU decided that the United States was not doing enough to protect individuals’ privacy and the Safe Harbor law was struck down. Since the Safe Harbor Law was struck down, many countries have been scrambling to determine what can be done to protect individuals’ private data because of the new vulnerability to litigation.
The GDPR is the EU’s response to the Snowden revelation. This regulation was negotiated between the EU Council, Parliament, and Commission. Although it was approved in December 2015, it didn’t become law until April 2016. Basically, GDPR provides a framework and regulates how European companies can collect and protect individuals’ personal data. Adoption of the law became effective on May 25, 2018. Like most people, you have been receiving an avalanche of updated privacy notice emails from your credit card company, mortgage, or loan companies.
Writing for Security Week on June 6, Travis Greene asked the question – “The Future of GDPR – Dead, Diluted, Detested or Accepted?” Lawyers in several countries including Germany, France, Austria filed suits against Google and Facebook, to the tune of $8.8B on day one of the launch. The EU GDPR has one European Data Protection Board, but several regulators, and given the scope of the regulation, it will be difficult to manage. These management difficulties will translate into a tremendous increase in cost for both the regulators in the form of bureaucracy and for corporations as they attempt to figure out how to navigate these new requirements.
Given the way GDPR was written, even private citizens can sue if they feel their personal privacy has been violated. This means that many corporations and even small businesses could be subject to litigation if they collect personal data from clients and customers based in Europe.
If you are interested in learning whether you are compliant with GDPR or what your potential liability could be if you are found out of compliance, contact CarTek Consulting. Remember this regulation applies to any company, larger or small, that collects data from someone based in Europe. Do you know who is visiting your website or purchasing your products and services? If they are based in Europe, you could be subject to litigation based on GDPR requirements.
Read Travis’ full article at https://www.securityweek.com/