Although online privacy is a thing of the past,
you should be careful with your personal data

The existing EU regulation on personal data protection has been in force for the last 21 years. However, 2018 will see the implementation of a new regulation, which will regulate the area of personal data in a more contemporary manner. Nowadays, the technology can identify an individual directly or indirectly. The companies, which strive to know everything about their customers, also carry great responsibility for the possession of personal data in case of their abuse.

Originally published in Monitor, January 2017
Translated into English

Imagine you are at work on a Friday at 4 pm. Most of the employees have already left the office for an extended weekend due to the national holiday on Monday and your company has just been hacked. The General Data Protection Regulation (GDPR), which will be introduced for European Union Member States in May 2018, states that companies must issue detailed reports for authorities, prosecution authorities, and potential affected customers/users on any hackings, thefts, or abuse of personal data. To do so they have 72 hours regardless of weekends or national holidays. The price for non-compliance with the provisions of the mentioned Regulation is known – the fine for the company amounts to 4 percent of its (global) turnover or 20 million euros (depending on which one is higher). Can you afford that? What about the loss of reputation followed by the loss of clients?

In the mentioned three days or 72 hours, the company that was affected by theft or abuse of data, is in for a lot of work. In this digital era, it is important to be ready for a scenario like that, as this may happen to anyone and all companies may be targets of financially motivated hackers. To ensure the compliance with the GDPR, the company needs to be adequately organised and equipped. It must be able to provide the authorities with immediate information on what customer data they keep, where and how (including the backup copies). They also need to provide adequate permissions to keep this data.

The upcoming European regulation has a clear goal: to protect user privacy and integrity of customers’ personal data collected by companies in different ways. In this case, lawmakers in Brussels closely collaborated with experts, as the General Data Protection Regulation clearly defines the data and information which could be used by companies to identify customers, such as IP address, location data, and different social, economic, and/or cultural indicators.

At the same time, the individuals obtain the right to know exactly where and why their data is kept and processed. Furthermore, they will also be entitled to limit further processing of their data and delete older (historical) data. Ensuring the compliance of their operations with the new Regulation will for many companies prove to be a demanding and expensive task, as they might keep customer data in different systems, whereby removing the data from one system does not automatically remove them from the other or from the database. In addition, the companies face many challenges in the field of business analytics, as they will have to deal with various requests from their users. Some data will have to be made anonymous (meaning that personal data will have to be removed), others equipped with pseudonyms (meaning that personal data will have to be substituted), some encrypted, etc. The GDPR will enter in force in a year and a half. This might seem like a long time to ensure the compliance with the regulation, but companies that practice this already know that there are many challenges ahead.

Why will ensuring the compliance with the GDPR be so demanding? Mainly because its implementation will require the collaboration of all key actors, such as IT, security, lawyers, technical managers, etc.