Although data breaches have been rampant for many years, general data privacy laws have been thin. Strong data privacy laws were enacted in the medical field in 1999 when HIPAA was amended with the Privacy Rule. However, it wasn’t until the European Union passed the General Data Protection Regulation (GDPR) in 2018 that the average person’s data became fiercely protected… at least in the EU.
GDPR compliance in 2019 is non-negotiable
Any business or individual that collects data on EU citizens is bound by GDPR regulations. In a nutshell, GDPR gives individuals the rights to their own data. The law requires businesses to delete an individual’s personal data upon request. This seems simple, but deleting personal data requires knowing where all copies of that data is stored and being able to delete it securely.
The penalty for non-compliance is up to 4% of annual global revenue or 20 million Euros, whichever is greater.
GDPR compliance requires a shift in business practices
GDPR isn’t a one-time set-it-and-forget-it approach to data security. Compliance requires coordinating a multitude of factors including knowing who has access to personal data and how it’s being used. This will require a change in policy and procedures for most businesses.
Data collected through web forms is easy enough to control according to GDPR rules. However, a potential blind spot for GDPR compliance is a company’s web server. Since web servers reside in data centers, it’s difficult (if not impossible) for business owners to know if an unauthorized party might have access to their clients’ data, and where additional copies of that data might be stored.
GDPR means thinking twice about shared webhosting
In 2019, it’s more important than ever to secure webhosting from a company using a compliant, reputable data center. This requires avoiding shared hosting plans no matter how good the pricing is. There might be shared hosting plans utilizing compliant servers, but there are too many people in the middle to find out.
“Data center providers are an important piece in the GDPR compliance chain as they have ownership of the physical assets where information is stored,” Jose Casinha, CISO at OutSystems told Data Center Knowledge. Those physical assets, also called servers, often contain numerous copies of data in the form of backups. To be GDPR compliant, a business owner must know exactly how many copies of their data exists, where it’s being stored, and how it’s being accessed.
Although data centers can be held directly liable for GDPR and other data privacy violations, using a non-compliant data center won’t let you off the hook.
Data centers need to catch up
As much as a business tries to comply with GDPR, they will be limited by the functions their data center allows them to perform on their web server. For example, if customers (businesses) are given the option to delete data from the server, but that data doesn’t get erased permanently, that isn’t compliant.
Data centers will need to overhaul the controls and functions provided to customers to allow the permanent deletion of data, including previously automated backups by the server.
California is following in the EU’s footsteps
In June 2018, the California Consumer Privacy Act (CCPA) was passed in response to the Cambridge Analytica scandal and goes into effect January 1, 2020. This law is similar to GDPR and provides consumers the right to access their data, opt-out of having their data shared with third-parties, and the right to have their data deleted. This law requires every business to publish a link on their website for consumers to opt out of having their data shared with third parties.
Eleven additional U.S. states have introduced similar legislation, all regulating opt-out rights and disclosure requirements. The U.S. Congress has even introduced data privacy bills in an attempt to implement a federal data privacy standard.
2019 is the year to get compliant
All of these proposed laws will cost businesses a significant amount of money to make the required policy changes, but data protection is no longer an option in 2019.
The laws aren’t perfect, and there are conflicting requirements between the laws, but it’s time for businesses to take data privacy seriously. Data breaches cause irreparable harm to people, and it doesn’t look like they’ll stop anytime soon.