Preparing for the GDPR – Part 1: Repercussions Far Beyond Europe

By Michael Mittel, CEO, RapidFire Tools 

The European Union’s GDPR (General Data Protection Regulation) is one of the most sweeping global IT regulations in history, set to take effect on May 25, 2018. Designed to protect European consumers from breaches of their personal identifying data (PID), it regulates how and for how long this PID can be stored on the network following a transaction.

If businesses in the US have been complacent about this new set of regulations so far, they’ve been doing so at their own peril. A majority of US companies conduct online commerce, making it virtually impossible to restrict purchases from European consumers. And if data from a European customer or business partner is transmitted via a US company’s network, that company is subject to the GDPR.

In essence, the GDPR compliance mandates will impact just about every organization that does business online, regardless of a company’s geographical origin. Reports from the UK’s Computer Weeklyconcur, calling GDPR “the first global data protection law.”

“One particular aspect of the regulation that makes it much more far-reaching than it would otherwise be: The GDPR applies to any organization, anywhere in the world, that collects data on citizens of the EU,” confirms security editor Warwick Ashford. “As such, even a small, web-based business located on a different continent would have to be GDPR compliant.”

However disruptive this may be for the global marketplace, it presents an immense opportunity for MSPs—beginning with the task of educating their customers about these expansive implications. The EU is threatening penalties of up to €20 million, or up to 4% of a company’s previous fiscal year’s worldwide turnover, for non-compliance.

One of the stricter caveats of the GDPR is that it broadens the status-quo definition of personal data to include any information that can be used to identify an individual. This includes such granular categorizations as such as genetic, mental, cultural, economic, or social information. This will leave a host of companies vulnerable, especially those in markets such as healthcare, finance, non-for-profit service organizations, municipalities, and education, where such personal classifications often come into play.

Part 2 of this blog will explore strategies MSPs can implement to help their business customers prepare for GDPR compliance, avoid penalties, and mitigate ongoing risk of global PDI breaches.