How General Data Protection Regulation Will Impact Businesses

The European Union (EU) General Data Protection Regulation (GDPR) is all set to go into force from May 25, 2018. Regardless of the physical presence in Europe, every organization that offers any product or service to the European market, and is doing business with EU citizens will need to make changes in its processes to comply with the new guidelines.

The EU GDPR, which was adopted on April 27, 2016, is a replacement of the Data Protection Directive 95/46/EC. GDPR regulation is designed to support a single market and aims to empower EU citizens over how their personal data is utilized. At the same time, it reforms the process that businesses adopt for data privacy. In total, it brings a set of new directions, the most essential of which require a data protection officer (DPO), data breach notification, and privacy-by-design and by-default. If the enterprises fail to comply with the guidelines, they can be imposed with penalties of up to €20 million or four percent of global annual turnover, whichever is higher.

The GDPR has its impact on multiple areas of business including data management, data security (legal & compliance), and technology (hosting of data):

Data Management

• Data management practices are essential to GDPR compliance achievement – they regulate the exportation of personal data outside the European mainland. With data spread across business segments and portfolios, it can be hard to determine where the organizations should start from
• ‘Right to Data Portability’ and ‘Right to be Forgotten’ are the two key principles of GDPR that can cause the biggest implication to data management. ‘Data Portability’ means that personal data must be portable from one company to another and should be available in a readable and standardized format. While ‘Right to be Forgotten’ provides stronger rights to EU citizens wherein they can ask for the erasure of their personal data
• To manage data in an efficient manner, organizations must build a data processing inventory. Having a data inventory is a requirement under GDPR guidelines, but it can also be used as a source point of all data processes within an organization

Data Security (Legal & Compliance)

• The GDPR has introduced new requirements for legal and compliance functions for an enterprise to ensure compliance - data controller and data processor. In general, GDPR applies to both the controller and processor
• Where controller may be an individual or an organization/public authority, who determines and defines the purpose, and a means of processing of personal data. While data processor may be an internal group or an outsourcing partner who processes data on behalf of the controller
• The new set of GDPR guidelines is all set to impact the security measures i.e. how security process is designed and managed. Organizations experiencing data security breaches will have to inform regulators within 72 hours, which means implementation of new or enhanced incident response measures and the solution is crucial

Technology (Hosting of Data)

• In the wake of GDPR, the need for data localization has evolved as a major trend. To ensure businesses are compliant with the GDPR guidelines, global organizations are increasingly opening data centers in the European mainland or are engaging with data center service providers.
• Data center services spectrum encompasses traditional data center outsourcing (DCO) services, hosting colocation and cloud Infrastructure-as-a-Service (IaaS) sub-segments, and is mainly dominated by DCO. Businesses in order to increase international competitiveness and decrease IT costs are shifting to cloud IaaS.
• In terms of cost propositions and pricing structure, cloud IaaS providers have different price bands across different regions. They are subject to various business costs factors and the variation among these factors results in cost differences across different regions. For instance, an enterprise who has their current data storage arrangement in the eastern or western region of U.S. might end up paying three to 10 percent extra (in terms of cost/hour) in the European region. Sourcing professionals must also be aware of data transfer cost, that usually ranges from $0.010 to $0.020 per GB, depending on the location of the original data storage site.

Sources:

• https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
• https://www.information-age.com/data-privacy-good-thing-employees-123465705/