There have been many predictions for 2017 which have touched on the impact that the EU GDPR will have on organizations around the globe, but the truth is that the GDPR is not the only change on the horizon. Federal, state, and industry regulators have all made moves in the past year indicating that 2017 will an increase in frequency and severity of compliance investigations and fines and perhaps see the introduction of more strict regulations.
The EU General Data Protection Regulation (GDPR) entered into force on May 24, 2016, with the rules applying on May 25, 2018. The GDPR imposes lengthy requirements on organizations, particularly those in healthcare; “privacy by default” requires that data protection measures must be implemented across all data processing and storage activities and devices. A failure to remain compliant with the GDPR, or a failure to prove compliance with audit records, could result in heavy regulatory fines.
The GDPR isn’t just of concern to EU members, but to all organizations that process the personal data of EU subjects. Given the global nature of most businesses, the implications of the GDPR will be wide-reaching. Currently, many US-based organizations are not aware of, or preparing for, the upcoming changes, which will place them in a precarious position starting in 2018.
The UK government released its own plans to implement the GDPR no later than 2018, putting to rest fears that Brexit would upset the implementation of these new standards. The GDPR implemented in the UK would require companies to officially report all cyber security breaches to the Information Commissioner’s Office (ICO) and to customers.
Several 2017 prediction forecasts pinpoint 2017 as the year organizations will scramble to change their processes and technologies to remain compliant, but the GDPR is not the only regulation that organizations need to be preparing for.
China recently passed its own cybersecurity law, set to have broad implications for international businesses, and Australia is also close to passing its first data breach notification bill. It is likely that in 2017, we will see a Canada-wide regulatory requirement to disclose data breaches. The Digital Privacy Act amendments to Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA) has been on the books, although specific requirements on reporting of data breaches are not yet in force.
Laws are being enacted and amended on a regular basis across the globe, placing the onus on international organizations to continually research the requirements for each country in which they do business. For global businesses, this results in complexities and uncertainties when it comes to both the required protections as well as the notification requirements. For organizations within the US, there are added complexities of complying with individual State legislative requirements, several of which have seen amendments in 2016.
Adding to the complexity of complying with global international law, organizations must look beyond the requirements of these Global, Federal and State requirements.
In 2016, the Federal Trade Commission (FTC) made aggressive strides to assert its authority as the Federal agency responsible for data security enforcement over any organization, even HIPAA-covered entities. Which brings us around to industry-specific regulatory bodies such as HIPAA, the SEC and FINRA, all of whom have increased their commitments to data protection through published requirements, examinations, investigations and even penalties. The actions of independent regulatory bodies in 2016 - publishing guides, conducting examinations, starting to issue fines - points to 2017 being the year we see these regulatory bodies assert independent fines against organizations who have experienced data breaches.
As you can see, compliance requirements and data breach notification requirements are a moving target, both domestically and internationally. 2017 promises to be a year of continued flux, but we also believe that the collective actions speak to a dramatic shift in the compliance landscape that will see organizations face multiple independent investigations and fines associated with a single security incident, not to mention drawn out class-action lawsuits which are now an inevitable part of a breach incident.
With Absolute Data & Device Security (DDS), organizations can regain control over the endpoint and the data contained therein, even if held in cloud storage applications. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed. Learn more at Absolute.com