The European Union’s new data protection regulation, the GDPR, gives EU citizens ultimate control over their personal data. But when did we lose control? And why?
In the first of a two-article series Ben Gould, Managing Director, EMEA & APAC, Opus Global, outlines the aims of GDPR and the statistics that prove why a refresh of data protection regulation has become so necessary.
It’s less than a year until the EU’s General Data Protection Regulation (GDPR) comes into force. Described by the UK’s Information Commissioner, Elizabeth Denham, as “the biggest change to data protection law for a generation”, this new regulation gives EU citizens much needed control over their personal data and significantly increases the penalties for companies that fail to protect the data they hold.
As the deadline for compliance looms, we take a step back to remind ourselves why this drastic overhaul to data protection and privacy laws is so urgently needed.
A brief background on GDPR
The GDPR’s predecessor, the EU Data Protection Directive, was drawn up in 1995. That’s the same year that Microsoft introduced Internet Explorer 1, and that Amazon and eBay were founded. In 1995, the number of internet users globally stood at 16 million.
Fast forward to 2017: The internet has grown to over 3.7 billion users; Amazon ships in excess of 1,000 packages each minute; and mobile phones, email and social media have become part of our daily lives. We now share an incredible amount of information about ourselves with the companies we interact with – from basic contact details through to credit card information, photos, messages and browsing preferences. In the right hands, this data can be used to enhance our interactions with a company. In the wrong hands, it can be used for a range of criminal activities, from fraudulent payments through to full identity theft.
Adopted by the European Parliament and European Council on April 27 2016, the GDPR comes into force from May 25, 2018 with the aim of:
Creating a unified approach to data protection across the EU. Currently, EU member states have their own national laws that reflect the 1995 EU Data Protection Directive. While all members have been working towards the common goals set up by the directive, how they achieved them was left up to each country to decide. The GDPR is a regulation, which is directly applicable, in full, to all member states.
Protecting EU citizens in the global economy. The internet has made the world a much smaller place and our personal data is now spread far and wide across the globe. The GDPR is applicable to any company, no matter where it is based, that processes the personal data of EU citizens.
Giving individuals full control over all their personal data. It’s exceedingly difficult for individuals to know exactly what data is being collected about them, and what is happening to the data that they share with companies. The GDPR puts consent front and centre, giving consumers the control they need to feel comfortable sharing their data.
Improving levels of compliance. Day after day we read headlines about companies that have fallen prey to malicious hacking attacks. The GDPR introduces significant penalties, and companies that fail to meet their regulatory obligations face fines of up to 4% of annual global turnover, or EUR 20 million, whichever is greater.
Your data is safe with me
Or is it?
As well as changing the way we share personal data, advances in technology have changed the nature of crime - pushing it online where criminals benefit from the anonymity of the internet to both carry out and profit from their illicit activities.
The amount of PII and sensitive data available for sale on the Dark Web is proliferating as successful hackers peddle their wares. Purchasing anything from a compromised email address through to “fullz” packages that provide an individual’s full financial information (name, address, credit card details, social security number, date of birth) is simple if you know where to look [Figure 1].
Cyber-criminals are now organised, innovative and persistent. Data breaches are increasing, both in the number of incidents and the volume of data stolen.
As consumers, this easy access to Personally Identifiable Information (PII) and other sensitive data is hitting us hard. Experian’s 2016 Annual Fraud Indicator estimates fraud against UK citizens at £9.7 billion, and across the Pond Javelin Strategy & Research found that there were 15.4 million U.S. victims of identity fraud – up 16% from 2015.
In part two, Ben examines how the changing world and habits of consumers are the drivers of GDPR, and what this means for how the regulation will be enforced.
Graphics credit: C6 Intelligence Group, An Acuris Company