GDPR: The Pros and The Cons
Data protection legislation is seen as a way for governments to take back control over data security which has suffered critical hits in recent years with major breaches making headlines on a weekly basis. Regulations are a natural reaction to these real-world threats that companies seem powerless to stop. Governments hope that through the enforcement of tougher data protection policies, companies unwilling to take extra measures to ensure data protection will be brought to higher overall standards.
While this goal in itself seems necessary given recent developments, how will these new legislations translate into the business world and how will they affect business growth and the push for innovation? There is a marked concern in business circles that cumbersome overly restrictive data protection regulations, such as the EU’s General Data Protection Regulation (GDPR) will suffocate emerging new technologies such as AI and machine learning algorithms by over-regulating their deployment.
As an update to a twenty-year old regulation, the GDPR in particular is considered a ground-breaking legislation, shaped to tackle the most pressing privacy concerns of our increasingly digitized world. If proven to be successful, it could act as a blueprint for all future data protection legislations across the globe.
There is a certain degree of panic fueling companies’ rush for GDPR compliance as policy makers, lawyers and industry experts debate the potential implications of certain requirements and try to accurately predict how they will be implemented. How strictly the GDPR will be applied will depend on national Data Protection Agencies in every member country. Businesses are therefore left to worry whether their compliance measures will be classified as “adequate” in the eyes of the GDPR and they have done enough to avoid fines.
The Pros: The Future of Data Security as We Know It
With cybercriminals ready to exploit any vulnerability in networks, applications and website infrastructures as well as potential leaks from careless or malcontent employees, the security of data has never been more fragile. Businesses can no longer afford to ignore cybersecurity and the GDPR can act as a guide to achieving a higher degree of data security.
By raising the bar on data privacy and security, the GDPR will increase the cybersecurity of all companies doing business in the EU or serving EU customers which will have a positive overall impact on those companies’ cybersecurity status.
Data breaches and leaks take a serious toll on companies’ reputations. Customers can lose confidence in a brand if they know their data is not safe with them. With improved cybersecurity, clients will not only continue to put their trust in companies, but they will become more willing to share data, knowing they are doing so in a secure environment. Companies can thus increase their customer base.
One of the GDPR’s main goals is a EU-wide standardization and harmonization of the regulatory environment. This will essentially mean that, once they are GDPR compliant, companies can operate across all EU countries and process EU citizens’ data wherever they are in the European block without having to worry about diverging national legislations.
The Cons: Overregulation Hampering Innovation
As is often the case with legislation, especially that coming from the European Commission, there is a concern of overregulation when it comes to the GDPR. Adding red tape in the form of endless consent prompts for every data process might significantly burden customers in their enjoyment of online services and applications in an age when user-friendliness is one of the key factors in retaining customers.
One of the big drawbacks of GDPR compliance is of course the cost to reach it. In order to become compliant, it’s not enough for companies to update their internal policies. Depending on the amount of EU citizens’ data that they process, they must appoint a Data Protection Officer and ensure that their products all take a privacy first approach in their very design.
This in itself implies additional cybersecurity features that need to be included in software architecture, meaning more work for developers. Software that offers Data Loss Prevention or data classification features should be implemented system-wide for a better insight and control of who is processing data where. All of this, of course, comes at a cost.
Another major concern are the massive fines which companies found to be non-compliant with the core principles of the GDPR can incur. Businesses can be fined up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater, in case of non-compliance.
The GDPR is here to stay and, with all its drawbacks, will rewrite cybersecurity standards and make companies accountable for failures to protect EU citizens’ data in the eyes of the law. While businesses are still grappling with the finer points of the new regulation, once the initial hurdle to compliance will be overcome, a decline in data breaches is expected to follow. Whether the GDPR will live up to its full potential as a revolutionary data protection regulation for the 21st century or it will flounder in bureaucracy will be decided by the way it will be implemented once it comes into force on 25 May 2018.