Companies that suffer data breaches are required to disclose the damage that occurred. But how soon they have to release the information, and which official bodies or affected consumers they reach out to is determined by a web of disclosure laws and regulations. They can differ by region, state and even country. The latest and potentially toughest restrictions are coming from Europe, in the form of the General Data Protection Regulation (GDPR).
While the implications of the new disclosure laws are relatively clear to European CEOs and tech leaders, questions linger for organizations in other parts of the world. For instance, should American companies worry about complying with this transatlantic set of laws? In many cases, it appears they won't have a choice.
The global data connection
Forbes Technology Council contributor Yaki Faitelson pointed out a few potentially overlooked stipulations in the GDPR that are of importance to American companies. When the rules come into effect in May, U.S. corporations will have some "homework to do," as Faitelson wrote.
One of the concerns involves Article 3 of the GDPR, which stipulates which companies are affected by the rules. Businesses collecting personal data from or tracking behavior of people from EU countries using the internet are subject to the GDPR rules. There does not have to be a financial component to transactions for the rules take effect.
Companies tracking user data today aren’t out of the ordinary - it's a given in many modern operations across the globe. This means a large number of U.S.-based organizations will have to read up on the strict disclosure rules embedded in the GDPR to prepare to comply with them, labeling it as the first real IT challenge of the year.
Organizations’ progression so far
Many organizations around the world feel they're ready to comply with the regulations, but IBM's Security Intelligence Team paints a different picture. Three-quarters of non-technological leaders at U.S. companies don't even believe they'll have to get in line with GDPR, according to data from NTT Security. However, financial organizations, perhaps because of years of complying with strict data management rules, tend to be better prepared than non-banking firms.
Despite the fact that there are months left before the deadline officially hits, now is the time for organizations to research how GDPR will affect them. Faitelson explained that the process of adapting to these regulations could mean adding new processes to online services. For example, the GDPR will require sites to get explicit consent from individuals before collecting their data.
Faitelson added that complying with the GDPR requirements to focus on protecting the data collected from consumers isn't necessarily difficult for companies that are already up to date on Payment Card Industry standards. The more pressing challenge involves breach notification.
Changes in notification standards
Under the new GDPR, there’s a very short timeline from breach to public notification. With only 72 hours to notify the public, it’s a stark change from the ways companies have handled this process over the years.
There isn't one inflexible set of rules associated with the GDPR. The speed of disclosure, as well as who needs to be informed, changes based on the type of information leaked and its owner. No matter the exact nature of a data breach, however, companies will have to ready themselves for fast, thorough disclosures. Furthermore, IT departments will have to work hard to avoid one of the difficulties most associated with data loss today: discovery of a security breach weeks or even months after the fact.
The need to upgrade security
Organizations that aren't sure whether they're ready for updated data protection can seek assistance from third-party security partners. Adding extra resources to alert companies of data risk is a powerful step that can prove extremely valuable. Data Breach Readiness provided by Identity Guard Business Solutions can help organizations detect and mitigate the risk of a breach through monitoring of business-level data. With access to the Identity Guard identity theft protection services in the event of a breach, Data Breach Readiness is the all-in-one solution your organization needs.