Thousands of American companies including financial institutions that do business directly or online with European customers need to start reckoning with data privacy regulations enacted by the European Union that are due to go into full effect in just two years, according to the International Association of Information Technology Asset Managers, Inc.
“These are sweeping changes to how personal and corporate data is to be handled and they have far-reaching implications for many aspects of U.S. businesses, particularly in terms of how information security is addressed. The days are long past when U.S. businesses could worry only about complying with laws and rules in this country,” IAITAM CEO Dr. Barbara Rembiesa said. “Companies that fail to start planning now to deal with the General Data Protection Regulation requirements are going to be in for a real shock.”:
Banks will be among the first organizations to receive huge fines not complying with the EU’s GDPR when it finally comes into play, according to European professionals polled by security firm Varonis.
IAITAM identified the top five impacts the new EU regulations will have on any organization:
- Data breaches. “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” – The changes the GDPR makes to the definition of a data breach are significant. If an organization experiences a data breach, it must report it within 72 hours of the company becoming aware of the breach.
- Data Protection Officer requirement. The EU has determined that an individual is necessary at each company doing business in Europe to ensure the maintenance of data privacy and data control at a high standard.
- Consent of those providing data. The data controller bears the burden of proof for the data subject’s consent to the processing of their data for specified purposes. This aspect of the GDPR requires active acceptance of the terms and conditions by the end-user. Consequently, mere “use” by the end-user will no longer be sufficient acceptance of the terms and conditions.
- Special handling of data related to Europeans. This provision protects EU citizen’s data once moved outside the EU. Any organization that is international in scope and handles personal information of EU citizens such as phone numbers, addresses or any other identifying information will be subject to the GDPR. In addition, any organization that received the information “third-hand” will also be subject to the regulation.
- Potential for hefty fines and court penalties. “For infringements of this regulation, in particular for infringements which are not subject to administrative fines, member states shall lay down the rules on penalties applicable to such infringements and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.” An effective policy is an enforced policy. Subject to what would be referred to as a “tort” in the United States, an organization will be fined by the member states to ensure that the damage to an individual is made whole in addition to penalties and fines meant to deter any additional infractions. This type of enforcement can become increasingly potent and result in monetary penalties reaching into the billions.
“What is important to take away here is that any organization that processes or handles data from EU citizens must become familiar with this legislation and fully understand the impact it will have on daily business processes. Between the sweeping scope of the GDPR and the penalty structure, this is a piece of legislation that should be treated seriously and with an eye to what it will take ensure full compliance,” Rembiesa said.