This paper evaluates the European Union's General Data Protection Regulation (GDPR), examining its core data protection requirements, its global reach beyond EU borders, and its implications for security management. The paper summarizes the law's principal obligations — including user consent, data anonymization, breach notification, and the appointment of a data security manager — before weighing the benefits for consumer privacy and industry fairness against key limitations. Limitations discussed include jurisdictional loopholes available to companies that can dispute offering goods or services in the EU, and the practical difficulty of detecting third-party data harvesting. The paper concludes by noting what the GDPR demands of corporate security management departments.
While the General Data Protection Regulation (GDPR) is a piece of legislation developed and implemented by the European Union, its ramifications will be felt far beyond EU borders. The GDPR replaces the old Data Protection Directive and applies to any company in the world that sells or markets goods or services to EU citizens. Security management teams have already been put on notice for companies like Facebook, which specializes in obtaining data from its platform's users and selling it to third parties. With the GDPR in place, that practice is no longer acceptable. This legislation is a game changer, and this paper provides an evaluation of the GDPR — a summary of the law, a discussion of its benefits and limitations, and an analysis of how it will impact security management.
The GDPR aims to protect the data privacy rights of EU citizens from companies seeking to exploit their data by collecting it without consent and selling it to third parties against users' wishes. In other words, this legislation directly challenges what virtually every website and company on the Internet wants to do with user information: profit from it.
This legislation reaches well beyond the EU. It functions as a global piece of regulation because it affects every company that wishes to do business in the EU — and since virtually every major corporation today participates in the global economy, few large companies or industries will remain unaffected.
The most important elements of the GDPR concern specific data protection requirements that companies must abide by. These requirements include:
1. The requirement to obtain user consent before collecting, storing, or transferring their data.
2. Ensuring that any collected data contains no personal identifying features — that is, all users are rendered anonymous and no personal data is retained.
3. If data collections or databases are hacked or breached, all users with records on file must be notified, and the public must be informed through a press release so that all stakeholders are aware of the security breach.
4. Any user or consumer data moved across borders must meet specific regulations for safe transfer.
5. Companies must hire a dedicated data security manager to ensure full compliance with the GDPR if they wish to do business in the EU.
For U.S. companies, there is no avoiding the fact that the GDPR will change the way many of them do business. It is already well known that Facebook moved its European servers out of the EU to avoid immediate violations of the regulation. However, this is a cosmetic fix for a company that makes money in virtually every way the GDPR has now outlawed. Other companies that had been looking to follow Facebook's example must now rethink those strategies, as security management in the global economy faces the growing challenge of securing data in a digital world.
The primary benefit of the GDPR is that it helps ensure consumer data is respected, that privacy rights are not violated, and that Internet users do not have their personal profiles and data collected and sold to third parties without their consent.
This is a significant benefit for industries that do not follow the Facebook business model and wish to respect the rights of individual users. For a variety of industries, this legislation is welcome news because it levels the playing field, removing any competitive advantage previously held by companies engaged in harvesting and selling data.
In a world where Big Data is king, data security represents a serious challenge to the status quo. The GDPR is the first major salvo in that battle, and it is not necessarily a threat to companies that are not invested in Big Data markets. Industries built on more traditional business models will be largely unaffected by this legislation, provided they do not violate the privacy rights of their users and consumers online.
Companies that violate the GDPR face stiff penalties. Now that the regulation is in effect, any company wishing to do business in the EU must comply with its statutes or face severe fines. Investigations are already underway, and the competitive playing field is beginning to level out.
"Jurisdictional gaps and enforcement challenges"
"New demands on corporate security teams"
You’re 66% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.