Data Collection and the GDPR?

Companies that collect data on citizens in European Union (EU) countriesl need to comply with strict new rules around protecting customer data. The General Data Protection Regulation (GDPR) sets a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to maintain compliance.

Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.

How to comply with GDPR
The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
What is the GDPR?
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
What area does this effect?
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make a large investment to meet and to administer.
Why does the GDPR exist?
The short answer to that question is public concern over privacy. Europe in general has long had more stringent rules around how companies use the personal data of its citizens. The GDPR replaces the EU’s Data Protection Directive, which went into effect in 1995. This was well before the internet became the online business hub that it is today. Consequently, the directive is outdated and does not address many ways in which data is stored, collected and transferred today.
How real is the public concern over privacy?

It is significant and it grows with every new high-profile data breach. According to the RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S., 80% of consumers said lost banking and financial data is a top concern. Lost security information (e.g., passwords) and identity information (e.g., passports or driving license) was cited as a concern of 76% of the respondents.

An alarming statistic for companies that deal with consumer data is the 62% of the respondents to the RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. The report’s authors concluded that, “As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.”

Lack of trust in how companies treat their personal information has led some consumers to take their own countermeasures. According to the report, 41% of the respondents said they intentionally falsify data when signing up for services online. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold were among their top concerns.

The report also shows that consumers will not easily forgive a company once a breach exposing their personal data occurs. Seventy-two percent of US respondents said they would boycott a company that appeared to disregard the protection of their data. Fifty percent of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously.

What types of privacy data does the GDPR protect?
  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:

  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC survey showed that 92% of U.S. companies consider GDPR a top data protection priority.

A new survey conducted by Propeller Insights and sponsored by Netsparker Ltd. asked executives which industries would be most affected by GDPR. Most (53%) saw the technology sector being most impacted followed by online retailers (45%), software companies (44%), financial services (37%), online services/SaaS (34%), and retail/consumer packaged goods (33%).