4 Ways The New EU Data Law Will Change Your Company
Protecting sensitive data has been a long-standing priority for companies and consumers alike. But our increasing reliance on cloud technologies has only compounded data security concerns, and governments are responding. The European Union’s recent General Data Protection Regulation, finalized last December and subject for approval this January, will have major effects on U.S. companies.
Since our last post on the topic, more details have emerged and it’s clear that the law represents a much deeper change. As companies move forward with cloud strategies and governments respond with compliance requirements, it will be increasingly difficult to deal with data security and operations separately. This is exemplified in the legal document’s shift of focus. Computer Weekly reports that the language is driven conceptually by the monitoring of EU residents' digital activities and flow of accumulated data, which is much more involved in its scrutiny of everyday business practices.
The reason for this shift is clear. Business operations are growing more global and interconnected. It’s typical for U.S. companies to collect information on European customers through online means, as with all customers. It’s also normal for that data to be transferred in the cloud for storage and processing. And that is precisely why the new European laws are so wide-reaching. As legal scholars wrote in Data Protection Law & Policy, “[o]ne of the most carefully thought-out aspects of the GDPR is its extraterritoriality. . . given that pretty much every website and app in the world does that.”
The choice for businesses appears simple. Start adapting now or face harsh consequences later. For starters, the penalty is a steep fine of 4% of a company’s global turnover. Although the legislation won’t take effect until 2018, it just might take companies that much time to make the necessary changes. Ross McKean, partner at Olswang law firm, states that “[o]rganisations will need to adopt entirely new behaviors in the way they collect and use personal information.”
But that’s where the simplicity ends. In reality, companies have already been adopting new behaviors. This legislation is actually a response to that. What’s now required is for businesses to streamline those new practices with privacy protocols. Security and performance within a network must be managed together. With that in mind, here are four compliance requirements and how to meet them.
1. Mapping out Data Flows
Businesses need to create maps describing the flow of personal data with their network. This is a core requirement from the EU because, as TechCrunch put it, “the typical cloud business structure involves harvesting users’ data and moving it to another region for processing.” To meet this requirement, a bird’s eye view of networks is crucial. We recommend using a software with some form of unified performance visibility.
2. Conducting Risk Assessments
It will be imperative for companies to perform and document risk assessments. Not only will data capture and flow be crucial for this, but so will factors like firewalls, vulnerability scanners, and intrusion detection. Given the multiple tools that are used to secure a network, a comprehensive view will be necessary. Again, the theme of unifying security and operations is important, and you can read a more in-depth explanation here.
3. Hiring a Data Protection Officer
Companies that handle large amounts of data will need a dedicated data protection officer. While small and medium companies that don’t process information as a core business activity may be exempt, companies will need to do one of two things: Either equip a data protection officer with all the tools they need, or provide a personal data map that explains why their business qualifies for exemption. The same tools from the previous requirements can help out.
4. Developing Stronger Privacy Protections
Lastly, the new EU rules will require companies to have privacy protections built in throughout their operations. The name of the game for EU policymakers is attention to detail in the cloud. This requires an understanding of how different applications specifically interact. Look for network management software that includes or integrates with application monitoring tools, such as Riverbed SteelCentral.
That’s certainly a lot of responsibility! While further developments will spell out the exact details, these issues are central. In the end, successful transitions for businesses will depend on their ability to merge data operations and security in their management methods. Today’s pace of change is fast, but with the right tools and actions, businesses can capitalize on the cloud without being held back by regulations.