GDPR makes European companies legally responsible for private information they receive, process and retain. But what does GDPR mean for businesses and people from non-EU countries? Aleks Yenin of Polontech explains.
Do we really need GDPR? Absolutely. What is more, I’ve been expecting it much sooner. The last cybersecurity act has been in effect since 1995. We all know how dynamic the IT industry is and how different it is even in technical aspect from 1995. The society has also changed. Nowadays sensitive data, presented at the right angle, can seriously damage one’s reputation – we’ve seen it all in the recent political scandals. So yes, it’s high time to change. Actually, my opinion supports more than 90% of Hubspot, according to their research. I also know that Fortune 500 companies invested more than seven billion dollars to support GDPR. Such actions speak louder than words – business really needs this new policy.
What will change in practice?
Firstly, the definition of private data itself. According to GDPR, now it’s any information that allows identifying a person, not only name and surname, but also cookies, IP-address and workplace.
Moreover, there’s a new notion – sensitive private data. It’s the type of information that can be used by cybercriminals for defamation, manipulation and blackmail, things like sexual orientation, religious beliefs and political affiliation. So it must be handled with great care by the company that stores it.
When considering the geographical scope of GDPR, it’s rather complicated. First and foremost, GDPR applies to companies from European Union. But it applies as well to EU-oriented enterprises that request for, process and retain EU residents private information.
What does it mean for non-EU countries
So starting 25th of May non-EU companies that place their apps on Steam, AppStore or Google Play must abide with this new legal act? Yes. Developers always need to closely interact with their clients. For example: an IT-team works with a server version of JIRA and has a customer from EU. When a customer submits any information that identifies him, the company immediately becomes responsible for it. Having a website in English language and using JIRA with the English interface can be considered as orientation on Europe, and this makes the company GDPR compliant.
I keep in touch with my European colleagues and I can say they are very law abiding. The majority has already made their GDPR statements, first of all, because they don’t want to be fined, secondly, they don’t want to ruin their reputation, which is very important in EU. According to the poll by the leading cybersecurity company Netsparker, 98% of their C-level managers view GDPR as a serious matter.
The situation in Eastern Europe is totally different. I see that CEOs here dismiss, nearly ignore the topic of GDPR. I’m more than certain that international corporations based in non-EU country became GDPR compliant a long time ago, while mid-sized and small companies do nothing, believing GDPR doesn’t concern them.
They might think GDPR-regulators won’t find them. What’s more, financial risks seem not very convincing to them. Still, even if they won’t be fined, their reputation will be damaged. One negative review from EU-customers, saying a company doesn’t comply with GDPR, will be enough for potential customers to avoid this firm.
What about benefits?
Is GDPR a formality or a valid data security measure? Please don’t forget that GDPR is not a standard for information security. It urges companies to take collection, storage and retention of personal data more seriously. Moreover, it encourages to use more sound technical measures for data protection. However, most of us still don’t know for sure how GDPR violations will be detected and what fines will be imposed. I suppose we’ll wait and see from future cases.
You know, the ones who will definitely financially benefit from GDPR will be law firms. They will look for violations of this act on corporate websites and blackmail them for money. 50.000 euro for “consulting services” or 20 mln euro fine – the choice is obvious. I expect this to become rather common.
Does getting GDPR-compliant cost much? It requires more human resources. If you are a company developing software, your CTO should decide what measures to implement so that you could retain customer data and then completely erase it in case he wants to be forgotten. Yet in well-established corporations that always wanted to protect customer privacy, such measures already exist. Or, let’s say, there’s a company dealing with children. It needs to find the way how the parents will allow them to use private information of their kids. On the other hand, there’s no way to determine if it’s a real parent or guardian giving you the permission. Yet it’s the formality we’ll have to stick to from now on.
Another complication: according to GDPR, the personal data that’s no longer used must be deleted. But how can JIRA users do it automatically, when there’s no “bulk delete personal data” button?
Digging deeper into technical details, JIRA database wasn’t meant for transactions. A user can’t view old versions of an object and can’t leave the version he wants. All this makes data cleanup a problem. To manage all that, a company must know the tool very well and have lengthy practical experience.