GDPR - New Frontiers in Regulating Data Protection and Privacy Standards

In recent years, the world has become even more data-driven. We have seen the explosive demand for data which ushered in the creation of unprecedented volume, velocity and variety. This shift has also resulted in additional risks, with wider impact and costlier consequences, such as:

• Uber confirmed that the recent hack affected 57 million customers and drivers worldwide;
• Yahoo disclosed that over 3 billion of its email users were likely compromised over the last four years;
• Equifax, a consumer credit reporting agency, experienced the theft of over 140 million consumers records[1].

These and similar incidents highlight that no company, regardless of its type, location or size, is immune to cyberattacks or data leakages. The Cost of Data Breach Study supports this perspective, as 1 in 4 company will likely experience a security breach[2]. Increased attention to the protection and privacy of data should therefore be a priority for organizations.

Considering the current landscape, it is hardly surprising that the theft of information remains the most expensive consequence of a cybercrime, as reported by the 2017 Cost of Cybercrime Study[3]. The study further states that for industries such as financial services, and utilities and energy, the average cost of cybercrime amounts to over $17 million. Global reports continue to reveal numerous breaches and leaks that underscore that the application of baseline standards for the protection and privacy of data is an absolute necessity.

The adoption of sound data protection and privacy practices, processes and technologies will help an organization to:

• Safeguard customer data, trade secrets and other sensitive data;
• Minimize risk exposure;
• Minimize the costs associated with responding to a breach;
• Reduce or eliminate any payment of penalties associated with a breach; and
• Meet regulatory requirements.

The European Union (EU), in a bid to protect all its citizens from privacy and data breaches,implemented the General Data Protection Regulation (GDPR)that will come into force on May 25, 2018. The provisions of the GDPR apply to organizations located in the EU and to organizations located outside of the EU, if these organizations:

• Offer goods or services to EU data subjects; or
• Monitor the behavior of EU data subjects.

This means that the GDPR touches and concerns many organizations worldwide. Consequently, organizations operating (physically or remotely) in several countries such as financial services, pharmaceutical and health services, education services, telecommunication services, and consulting services may be impacted.

Some of the crucial changes under the GDPR[4] are shown in Table 1.

Table 1: Key Changes under GDPR

Key Changes	Summary
Increased Territorial Scope	GDPR's application extends beyond organizations in the EU.
Consent	Consent requests must be clear and intelligible, and distinguishable from other matters. The right to withdraw consent must be also clear
Rights of Data Subjects	Provides for extended rights such as: Timely mandatory breach notification Right to access to information on the nature and form of personal data being processed Right to be forgotten
Penalties	An organization in breach may be fined up to 4% of annual global turnover or 20 million

These and other changes will likely impact an organization strategies, policies, processes, procedures, and the use of technologies. The Data Protection Impact Assessment (DPIA) is one integral step for many organizations in determining their preparedness to meet the new regulatory requirements.

Wilson Consulting Group knowledgeable and experienced team will work with you to ensure that your organization is prepared for GDPR.Our GDPR Compliance Services helps your organization to:

• Identify potential gaps and vulnerabilities in your business;
• Assess and refine your organization incident response policies, processes and practices;
• Developsecured solutions to manage the processed data throughout its lifecycle; and
• Conductprivacy impact assessment (PIA).

Undertaking these activities will help to ensure your organization readiness for GDPR and improve privacy and security practices in your organizations.

[1]31 of the most infamous data breaches, https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/

[2]2017 Ponemon Cost of Data Breach Study

[3]2017 Accenture Cost of Cybercrime Study

[4] The EU General Data Protection Regulation (GDPR), www.eudgpr.org