More than four years after the European Union started its journey toward new privacy rules, the EU Parliament adopted the final text of the new EU General Data Protection Regulation (GDPR) last week. The EU will complete the long and controversial process that led to the new rules next month, publishing the Regulation in the Official Journal of the European Union, but no changes can be made at this point. This leaves businesses with a two-year period in which to get ready for its implementation. Some EU countries, like France, will implement the new rules before 2018.
As a security and risk professional, you must start working now to assess what the new rules mean for your organization and make the necessary changes to technology, processes, and people. As you approach the task, keep in mind that the GDPR introduces important changes, such as:
Customers value tailored offerings. And consumers are increasingly aware of what Forrester calls the “privacy-personalization paradox” — that is, the paradox between their desire for personalization and their desire to keep their data private. A 2013 survey by Populus for Sky IQ of 3,097 UK adults found that 51% believe it is useful for brands to know some information about them, and 53% trust brands to act responsibly with their data. The same survey reveals that 79% respondents are careful about the type of information they pass to organizations, 63% worry about how much personal data they have revealed online, 48% say that data privacy is an issue they think about, and 46% do not trust social networks with their personal data.