In the race to compete in today’s digital world, organizations are using social, mobile, big data, analytics and the Internet of Things to gather as much information on their customers as possible, while simultaneously trying to do everything possible to protect their organizations from cyber risks that come from the outside and within. In this environment, privacy protection can become an afterthought, bolted on to information security programs in an ad hoc manner or, in the worst case, organizations have elected to ignore the issue.
For years, regulators and privacy commissions around the world have attempted to regulate privacy protection and develop privacy standards, such as privacy by design (PbD), for organizations to adhere and adopt. However, even as regulators pushed accountability, many organisations saw it as more voluntary than mandatory. They were content to address the letter of the law outlined in the legislation as opposed to its spirit, i.e., to meet minimal compliance obligations
without taking responsibility for their role in protecting their customers’ or employees’ information.
With the forthcoming implementation of the European Union’s (EU) General Data Protection Regulation (GDPR), and its implications for organizations across the globe, the days of organizations leaving the responsibility for privacy protection to someone else are about to end. The EU’s GDPR puts the onus of specific privacy requirements in the hands of the entities collecting, storing, analysing and managing personally identifiable information.
Firms subject to the GDPR will have to demonstrate their compliance with the requirements by May 25, 2018. The GDPR is much more demanding, and applies more broadly, than existing EU data protection requirements. Each requirement by itself — such as the right to be forgotten, data portability, 72-hour breach notification, data privacy impact assessments and privacy by design — is demanding, but in aggregate, the GDPR is very onerous.
