Employment Law and Security Management

Employment Law and Security Management: Evaluating the GDPR
Introduction
While the General Data Protection Regulation (GDPR) is a piece of legislation developed and ready to be implemented by the European Union, the ramifications of this law will be felt far beyond the boundaries of the EU. The GDPR replaces the old Data Protection Directive of the EU and will apply to any company in the world that sells or markets goods or services to EU citizens. Security management teams have already been put on notice for companies like Facebook, which specializes in obtaining data from the users of its platform and selling it to third parties. With the GDPR in place, this practice will no longer be acceptable. This legislation is a game changer, and this paper will provide an evaluation of the GDPR, a summary of the law, and a discussion of its benefits and limitations and how it will impact security management.
GDPR Summary
The GDPR aims to protect the data privacy rights of citizens in the EU from companies looking to exploit their data by collecting it against their will and selling it to third parties against their wishes. In other words, this legislation flies in the face of what every website and company on the Internet wants to do with users’ information—profit from it.
This legislation goes beyond the EU. It is really a global piece of legislation because it impacts every company that wants to do business in the EU—and since virtually every corporation today is part of the global economy there are few major companies and industries that will not be impacted by this legislation.
What does the GDPR intend to do precisely? The most important elements of this law are concerning data protection requirements that companies must abide by. These requirements include:
1. The requirement to obtain the consent of users before collecting, storing and transferring their data
2. Making sure that any data that is collected contains no personal identifying features—i.e., all users are made anonymous: no personal data remains
3. If data collections or databases or hacked or breached, all users with records on file must be notified as well as the public at large through press release so that all stakeholders are informed of the security breach
4. Any data of users or consumers that is moved across borders must meet specific regulations regarding safe transfer
5. Companies will be required to hire a data security manager to ensure full compliance with the GDPR if they wish to do business in the EU
For U.S. companies, there is no getting around the fact that the GDPR will change the way many of them do business. Already it is well known that Facebook has moved its European servers out of the EU to avoid any immediate violations with respect to the GDPR. However, this is but a cosmetic fix for a company that specializes in making money in virtually every way that the GDPR has just outlawed. Other companies that have been looking to follow Facebook’s example must now rethink these strategies as security management in the global world now faces the problem of securing data in the digital world.
Benefits
The benefits of this legislation are that it will help to ensure that consumer data is respected, that privacy rights are not violated and that Internet users do not have their personal profiles and personal data collected and sold to third parties without their consent.
This is a benefit to various industries who do not follow the Facebook business model and want to respect the rights of individual users. For a variety of industries, this piece of legislation is welcome news because it puts every business back on an even playing field, with no advantages given to those who are in the business of harvesting and selling data.
In a world where Big Data is king, data security is an insurrectionist who threatens to take the throne. The GDPR is the first salvo in this battle and this is not necessarily a threat to companies that are not invested in the Big Data markets. Industries that are based on more traditional business models will be unaffected by this piece of legislation so long as they do not violate the privacy rights of their users and consumers online.
Companies that violate the GDPR face stiff penalties. The GDPR is now in effect and that means any company wishing to do business in the EU must comply with its statutes or face severe fines. Investigations are already underway so the playing field is now evening out.
Limitations
Like any piece of legislation, there are always loopholes—and this one is no different. Companies in the U.S. may be able to ignore the GDPR completely and be held unaccountable. How? Interpreting the legislation is where the difference will occur: for companies outside the EU wishing to still engage in data harvesting, all they need to do is dispute or challenge the idea that they are offering goods or services to individuals in the EU. If they can show they are doing no such thing, they are not bound by the GDPR.
Most American businesses looking to do business in the EU are doing it because they want to offer goods and services—so this loophole will not apply to them. However, for some businesses like Facebook, which specialize in the collection and sale of Big Data, they may be able to dispute the fact that they are offering goods and services since all they really are is a platform for sharing information. If sharing information is judged as a service it is offering, that could break the case wide open—but the uncertainty could mean that in the immediate future the GDPR is likely to be limited in terms of how far it can prosecute its case against businesses whose business model is based on harvesting Big Data.
Another limitation is the fact that there is an invisible daisy chain of data that cannot always be detected. Third parties, moreover, play such a large role in the shuffling of data from one source to the next, that Big Data could easily be collected on users without their consent simply by having a door open on the process and a pool siphoned off from the network. While this would be technically illegal under the GDPR, it would be difficult to prove that it is happening
For security manager, the legislation means that new scope is going to be required of the department and personnel hired who understand the security risks and regulations regarding how data is handled in every industry---because the digital world is here and digitalized data can bring in top dollar.