The countdown to May 25th, 2018 has officially begun. If that date doesn’t set off bells in your head, it should: this is the date that the GDPR (General Data Protection Regulation) becomes the law of the land across the EU. The new regulations are set to replace the current Data Protection Directive which governs how citizens’ digital data is handled.
What Is the GDPR?
Today, even the average person is rightfully concerned with the way personal data is used — and often manipulated — by companies. This concern, coupled with the constant threat of data breaches, has propelled lawmakers in the EU to create the GDPR, a harmonized and consistent approach to data protection across the region. The ultimate goal is to give citizens much greater control of their data. Under GDPR citizens can request access to their information at any time. They can similarly ask to have their information deleted entirely when no longer in use for its specified purpose. Citizens will have the right to transfer their data, restrict information collected and remain informed before any data is collected. Moreover, in the case of a breach, any affected parties must be notified within 72 hours.
How is Personal Data Defined?
GDPR’s unique classification of what constitutes private data is groundbreaking. As per the EU definition, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” The personal data of minors, personal data related to convictions and offenses in EU and special conditions of individuals involved, such as their ethnicity and political or religious views, is also included in this new regulation. While these guidelines may seem overly nuanced, this comprehensive framework will increase transparency and accountability on the part of companies collecting data for monetary gain. In a world where user-privacy has all but vanished, GDPR is a necessary move to regain individual control over online data.
Yes, GDPR Applies to You (Wherever You Are)
Lest you assume that non-EU residents do not need to abide by these rules, think again. Clearly, non-EU residents are not granted the same digital rights as EU citizens. However, business owners or CIOs outside the EU, must be GDPR-compliant, if any customers or users, no matter how insignificant, reside within the EU. Failing to comply with the new regulations may subject the offender to heavy fines: either two or four percent of yearly revenue, or 1,000,000 or 2,000,000 Euro, depending on the offense. For many businesses, failure to prepare for the impending regulations may be their undoing. A recent study by Gartner Associates predicts that less than 50 percent of American companies will be GDPR-compliant by the end of 2018, a full 7 months after the laws take effect. Worse yet, a study by Crowd Research Partners suggests that only 32 percent of EU companies are on their way to becoming compliant. According to the compliance firm TrustArc, in a poll of 204 EU companies of between 500-5000 employees, 61 percent said that they have not yet begun to implement their plan for compliance.
The Role of Backup and Disaster Recovery in GDPR
Setting up and maintaining a solid backup and disaster recovery plan has always been a critical part of remaining agile in the face of disaster. Today, it is also a central issue in becoming GDPR compliant. Incidents like ransomware attacks or natural disasters prove that companies can, and often do, lose access to their most important resources in the blink of an eye. So, while backup and DR have always been a good business practice, GDPR have made them essential. Article 32 of the law states that companies must have a backup and disaster recovery plan in place that will allow for continuous access to data. The plan must be designed to protect and maintain the privacy of the data; data must remain entirely secure, available, testable and GDPR compliant – even while the company is operating with limited resources. AWS Cloud Backup and AWS disaster recovery solutions like N2WS can perform full data recovery in a mere 30 seconds, while all data is encrypted in-flight and at rest. Companies that don’t have a robust backup and DR plan in place will find themselves subject to those huge fines mentioned above.
Conclusion
Because companies clearly wish to continue doing business with current and future EU-based customers, it’s important to ensure compliance before the onset of the new law. May 2018 is around the corner. With the right tools in place, the process of becoming GDPR-compliant and developing a more resilient and robust approach to backup and disaster recovery, can easily be achieved at the same time. The GDPR need not be viewed as a looming threat; it is indeed a golden opportunity to transform the organization into a security/privacy-first operation.