Chalk it up to the Snowden Effect.
Although it has been nearly three years since Edward Snowden turned the world on its head by releasing a trove of highly sensitive documents, the ripples of his decision are still being felt broadly.
To that end, the European Union recently finalized the text of what looks to be the world’s single most significant — and severe — data privacy law to date.
The General Data Protection Regulation (GDPR), as it has come to be known, has generated quite a bit of buzz on both sides of the pond. Long-heralded and oft-debated in Europe, the framework finally materialized this past fall.
The regulation, which aims to better protect the privacy of personal data for EU citizens, is being passed over the vociferous objection of some of the world’s biggest technology companies. The case was by no means black and white, and both sides had credible arguments — which are sure to be repeated worldwide as governments from Beijing to Brasilia consider similar legislation.
Underrated — and massive — impact
It’s important to note the distinction between a directive, the current framework for data privacy law in the EU, and a regulation like the GDPR. A directive leaves room for states to interpret a law and tailor it to their respective whims, whereas a regulation is broadly and uniformly applied across all member states. Given the extremely strict nature of the GDPR, this is an incredibly important distinction.
The new regulation will have an impact on businesses worldwide. The GDPR is seen by many as a barometer for the broader global agenda for ensuring data privacy. Policymakers in the post-Snowden era want to be seen as champions of data privacy, and they’re willing to enact tough legislation to make that happen.
This is hammered home by a piece of fine text currently in the GDPR: Businesses that fail to comply with the regulation can be fined up to $20 million, or 4 percent of global revenues. That’s huge. Here’s what a hypothetical fine could look like for just a handful of well-known, global brands based on total revenues for 2014:
Twitter: $56 million
General Mills: $716 million
Goodyear: $725 million
Vodafone: $2.3 billion
HP: $4.5 billion
Apple $9.3 billion
The challenges of GDPR and cloud
Since its enterprise debut nearly a decade ago, the cloud has been championed by many as a catalyst for greater productivity and collaboration. Now, with the average enterprise using 755 cloud apps, it is an unstoppable force. But people haven’t been talking enough about how the GDPR presents a serious challenge to many cloud-consuming organizations.
Perhaps the most important factor to consider here is the cloud apps that contain personal data in use at an organization. Whether they are sanctioned or unsanctioned “shadow IT” apps, under the GDPR, it’s always an organization’s responsibility to protect those data.
The GDPR is seen by many as a barometer for the broader global agenda for ensuring data privacy.
This is particularly important when considering Shadow IT, the growth of which has been one of the biggest trends of the last decade. Consider the seemingly endless number of cloud-based apps out there today — from cloud storage to HR to finance to CRM, just to name a few. A large majority of these apps are not formally sanctioned by IT, which means there’s a good chance that employees are unknowingly putting their organizations’ data in jeopardy and the organization itself at risk of GDPR violation just by using unsanctioned cloud apps.
There’s been an alarming tendency for companies based outside the EU to write this off as a regional mandate that doesn’t concern them. They can’t do that anymore. This regulation concerns not only EU citizens, but any organization that processes the personal data of EU citizens. In today’s globalized, app-driven economy, that means just about everybody, from the small mobile gaming company based in the Midwest to the Chinese global e-commerce giant. If you’re interacting with EU citizens, you’re liable.
This is doubly concerning when you consider that most personal data today are processed in an unstructured way, meaning that the data reside in myriad Word docs, emails and PDFs. Maintaining visibility into and control over which data are stored where, and what type of actions may institute a policy violation, is much easier said than done. But many organizations are still not seeing it for the potentially existential threat that it is should they fail to adapt and evolve.
Consider the recent breach at VTech, the Hong Kong-based electronics manufacturer, where hackers stole data including the names, email addresses, passwords, profile information, mailing addresses and download histories belonging to parents, as well as names, genders and birth dates of children. Profile photos and chat logs of millions of parents and their children were also stolen. Under the GDPR, this type of breach would result in a significant fine for VTech, especially considering that many of the data stolen were unstructured (chat logs, profile photos, etc.).
End of days?
For all the Chicken Little talk around the growing wave of global data privacy initiatives, though, there is hope. This is by no means a death knell for companies that take adequate steps to understand and comply with data privacy regulations. Instead, it’s indicative of the changing nature of how society views privacy, sovereignty and, ultimately, protection of users’ personal data.