BOSTON, MA / ACCESSWIRE / December 20, 2017 / In an age where online operations dominate personal and business activity, two decades equals eons in terms of platform functionalities, software relevance, and, most of all, cybersecurity. With technological advances changing the virtual landscape on a daily basis, protective measures and regulations quickly lose pertinence, and the European Union (EU) aims to address the issue by replacing its Data Protection Directive of 1995 with a new set of rules to govern the collection, management, and usage of personal information. Called General Data Protection Regulation (GDPR), this legal framework will become EU law on May 25, 2018, and will have powerful ramifications on a global scale, according to the cybersecurity experts at iboss .
EU officials say that GDPR is intended to "harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy." However, the provisions will also affect all non-EU organizations that have business dealings in the bloc and collect personally identifiable information (PII) from its citizens. This raises the compliance bar to staggering heights, with companies violating the rules liable to fines of as much as 4% of their annual turnover or 20 million euro, whichever is greater. The specifics of what constitutes punishable offenses and the size of non-compliance penalties are detailed in Article 79 of GDPR. As iboss notes, of particular importance to business organizations are also Articles 31 and 32, which deal with data breach disclosures. These entries stipulate the obligations of controllers regarding customer notification timeframes, with requirements including details related to the size and nature of the security breach.
Overall, GDPR contains 91 articles spread across 11 chapters. Some of them (Articles 23 and 30) provide a useful guideline for implementing data protection measures along with the legal repercussions for information loss or exposure. Others (17 and 18) concentrate on the "right to portability," which will allow data subjects to exert greater control over their PII by facilitating its transfer from one service provider to another. Companies that automatically process customer information will also have to comply with rules on the so-called "right to erasure," which empowers data subjects to request the deletion of their PII under certain circumstances. In its drive to bolster information privacy and safety, the EU has also enshrined in law the creation of a corporate position termed data protection officer (DPO). As stipulated in Article 35, this will be required of companies that process particularly sensitive information, for example health, genetic, ethnicity, race, and religion data. The next two entries provide an overview of a DPO's responsibilities, which include ensuring regulatory compliance, conducting internal privacy assessments, and acting as liaison with the relevant authorities when necessary.