The General Data Protection Regulation (GDPR), passed by the European Union in May 2018, will have long-lasting ramifications for many businesses in the United States. The European laws impact domestic companies due to three factors, including the boundary-less nature of the internet, multitude of multinational corporations and language in the regulation that stipulates that any company (inside or outside the EU) that collects data from an EU citizen must comply with the GDPR.
Since the GDPR applies to all businesses operating within the EU and organizations that do business with EU customers, almost “every major corporation” around the globe will have to be prepared to comply with the GDPR, according to a recent article in ZDNet.
A Look at the GDPR
In 2012, the European Commission, which proposes legislation for the EU, made data protection of EU citizens a priority. Over the next four years, the commission developed policy recommendations that were later formalized in the GDPR. The law also codifies the so-called “right to be forgotten,” which allows EU citizens to petition search engines like Google to remove data “no longer needed for their original processing purpose,” according to the EU’s official webpage on the GDPR.
ZDNet described the complex regulations in simple terms. Nearly every aspect of modern life (retail transactions, social media companies and government records, for instance) revolves around data and the collection and storage of personal information, the article noted. The GDPR, according to ZDNet, fundamentally alters that power dynamic by giving EU citizens greater control over their personal data. The GDPR aims, in part, to “simplify the regulatory environment” for businesses so both businesses and citizens can benefit from the digital economy.
For U.S. companies with EU clients, GDPR compliance requires that personal data is gathered legally and only under certain conditions. Furthermore, businesses are obliged to protect personal data from misuse and exploitation while protecting the rights of data owners. Failure to comply with any part of the GDPR may result in penalties.
Impact of the GDPR on Cyber Security Management
Cyber security managers across the United States are examining their cyber security protocols to ensure compliance with the GDPR. Whereas data breaches in the past could be addressed through PR channels, the loss of personal information could mean legal trouble for companies under the GDPR.
“You will have significantly more legal liability if you are responsible for a breach,” said the UK’s Information Commissioner’s Office in a ZDNet article. “These obligations for processors are a new requirement under the GDPR.”
A 2018 Bluefin article described how GDPR regulations impact the ways U.S. companies address transparency and consumer consent. One key change in how companies collect data is the new requirement that businesses attain “explicit, informed consent” from customers. One result of the stringent guidelines, the article predicted, will be the use of more than one consent box. Consumers will have more options to revoke consent as well. Additionally, the new regulations restrict how companies share their data.
The GDPR leaves little wiggle room for reporting. Once data has been found to be breached, the regulations allow no more than 72 hours before authorities must be notified. Consumers must be notified of high-risk data losses “without undue delay,” according to the GDPR. Businesses that do not comply with the GDPR may be fined up to 20 million Euros or 4 percent of annual revenue, depending on which is higher.
Online consent boxes are also getting an overhaul. Under the new standards, companies can no longer deluge customers with thousand-word terms and conditions. The new regulations stipulate that each term must be written clearly. Consent for each term must be signed separately, and consent must be renewed regularly.
Peter Zaffino, CEO of general insurance for AIG, summed up the potential impact of the new regulations on U.S. markets in an article in Forbes.
“There is no one silver bullet for becoming a GDPR-compliant organization,” he said. “Because there is no history to study, all companies must start from square one. The key to success will be adopting the mentality that privacy is a fundamental expectation to be integrated at every level of operations. Now is the time to be proactive — for the good of the customer and the business.”
Assuring compliance with the GDPR is just one issue creating global demand for qualified cyber security professionals. The online Master of Business Administration with a concentration in Cyber Security Management from St. Thomas University prepares students to meet the challenges posed by the GDPR and other regulations. The world is increasingly interconnected, and combating cyber crime requires comprehensive training. STU’s online MBA in cyber security management covers network security, cyber security technologies, cryptography, risk management and more. All courses are taught by STU faculty, and the degree can be completed in as few as 10 months.
Learn more about the STU online MBA with a concentration in Cyber Security Management.