Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25.
The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data,
but companies will be challenged as they put systems and processes in place to comply.
Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information.
Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995.
It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
The GDPR also regulates the exportation of personal data outside the EU.
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU.
However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
The short answer to that question is public concern over privacy. Europe in general has long had more stringent rules around how companies use the personal data of its citizens.
The GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995. This was well before the internet became the online business hub that it is today.
Consequently, the directive is outdated and does not address many ways in which data is stored, collected and transferred today.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
Companies must be able to show compliance by May 25, 2018.
The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.