Data protection legislation is seen as a way for governments to take back control over data security which has suffered critical hits in recent years with major breaches making headlines on a weekly basis. Regulations are a natural reaction to these real-world threats that companies seem powerless to stop. Governments hope that through the enforcement of tougher data protection policies, companies unwilling to take extra measures to ensure data protection will be brought to higher overall standards.
While this goal in itself seems necessary given recent developments, how will these new legislations translate into the business world and how will they affect business growth and the push for innovation? There is a marked concern in business circles that cumbersome overly restrictive data protection regulations, such as the EU’s General Data Protection Regulation (GDPR) will suffocate emerging new technologies such as AI and machine learning algorithms by over-regulating their deployment.
As an update to a twenty-year-old regulation, the GDPR, in particular, is considered a ground-breaking legislation, shaped to tackle the most pressing privacy concerns of our increasingly digitized world. If proven to be successful, it could act as a blueprint for all future data protection legislation across the globe.
There is a certain degree of panic fueling companies’ rush for GDPR compliance as policy makers, lawyers and industry experts debate the potential implications of certain requirements and try to accurately predict how they will be implemented. How strictly the GDPR will be applied will depend on national Data Protection Agencies in every member country. Businesses are therefore left to worry whether their compliance measures will be classified as “adequate” in the eyes of the GDPR and they have done enough to avoid fines.
Let’s have an overview of the GDPR’s advantages and disadvantages.
The Pros: The Future of Data Security as We Know It
With cybercriminals ready to exploit any vulnerability in networks, applications, and website infrastructures, as well as potential leaks from careless or malcontent employees, the security of data, has never been more fragile. Businesses can no longer afford to ignore cybersecurity and the GDPR can act as a guide to achieving a higher degree of data security.
By raising the bar on data privacy and security, the GDPR will increase the cybersecurity of all companies doing business in the EU or serving EU customers which will have a positive overall impact on those companies’ cybersecurity status.
Data breaches and leaks take a serious toll on companies’ reputations. Customers can lose confidence in a brand if they know their data is not safe with them. With improved cybersecurity, clients will not only continue to put their trust in companies, but they will become more willing to share data, knowing they are doing so in a secure environment. Companies can thus increase their customer base.
One of the GDPR positives an EU-wide standardization and harmonization of the regulatory environment. This will essentially mean that, once they are GDPR compliant, companies can operate across all EU countries and process EU citizens’ data wherever they are in the European block without having to worry about diverging national legislations.
The Cons: Overregulation Hampering Innovation
As is often the case with legislation, especially that coming from the European Commission, there is a concern of overregulation when it comes to the GDPR. Adding red tape in the form of endless consent prompts for every data process might significantly burden customers in their enjoyment of online services and applications in an age when user-friendliness is one of the key factors in retaining customers.
One of the big drawbacks of GDPR compliance is of course the cost to reach it. In order to become compliant, it’s not enough for companies to update their internal policies. Depending on the amount of EU citizens’ data that they process, they must appoint a Data Protection Officer and ensure that their products all take a privacy first approach in their very design.
This in itself implies additional cybersecurity features that need to be included in software architecture, meaning more work for developers. Software that offers Data Loss Prevention or data classification features should be implemented system-wide for better insight and control of who is processing data where. All of this, of course, comes at a cost.
Another major concern is the massive fines that companies found to be non-compliant with the core principles of the GDPR can incur. Businesses can be fined up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater, in case of non-compliance.
With all its strengths and weaknesses, the GDPR is here to stay, rewriting cybersecurity standards and making companies accountable for failures to protect EU citizens’ data. While businesses are still grappling with the finer points of the new regulation, once the initial hurdle to compliance will be overcome, a decline in data breaches is expected to follow. Whether the GDPR will live up to its full potential as a revolutionary data protection regulation for the 21st century or it will flounder in bureaucracy will be decided by the way it will be implemented once it comes into force on 25 May 2018.
Frequently Asked Questions
The GDPR brings several benefits, including greater trust between data subjects and organizations, improved data security, better alignment with evolving technology, reduced data maintenance costs and better decision-making for companies. Complying with the GDPR helps to minimize the risk of a data breach that could lead not only to steep fines, but also negatively impact the brand and company reputation.
The GDPR provides the following rights for data subjects:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The GDPR requires companies to gain a new level of awareness of how they process data, where it is stored, and how and by whom it is being used. The essential requirements of the EU’s privacy law include data protection by design and by default, appointing a data protection officer, tracking sensitive data and reporting any breaches, extended individual rights and cross-border data transfer policy.
Personal data under the EU’s GDPR is any piece of information that relates to an identified or identifiable person. This applies whenever an individual can be identified, directly or indirectly, “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.