Data breaches have become an epidemic. Every single day, over five million data records are either lost or stolen. That translates into 58 records every single second.
The first half of 2017 saw some major data breaches, and the problem does not seem to be improving as we move into 2018.
Much of the blame can be placed on poor internal security practices. There have been 9 billion data records lost or stolen since 2013 through data breaches, and a mere 4% of them were “Secure Breaches,” where “encryption was used and the stolen data was rendered useless.” That’s a pretty abysmal statistic.
As a result of stats like these, drastic measures are being taken globally to protect the private information of both consumers and employees. One great example of this is the General Data Protection Regulation (GDPR).
The GDPR is a regulation issued by the European Union (EU) that’s designed to increase the level of data protection for individuals within the EU. It was initially approved in April of 2016, and will officially be enforced as of May 25, 2018.
The GDPR will replace the current Data Protection Directive, which has been in place since 1995. Its purpose is to establish a standardized framework that ensures companies keep personal data secure. “Personal data” refers to any information that could be used either directly or indirectly to identify a person, including an individual’s name, their financial information, email address, medical information, IP address and more.
Full compliance is critical for many reasons. For starters, organizations that fail to comply with the GDPR can face some hefty fines.
Penalties will take a tiered approach. For lesser infringements, such as not having their records in order, companies will be fined two percent of their annual global revenue or 10 million Euros (nearly $12 million USD) – whichever is greater from the previous year.
For serious infringements, such as violating core concepts like not getting consent from data subjects (e.g. the EU citizens), companies will be fined four percent of their annual global revenue or 20 million Euros (nearly $24 million USD) – whichever is greater from the previous year.
The GDPR impacts all organizations located within the EU. However, it also applies to those located outside of it if they provide goods or services or hold the personal data of EU “data subjects.”
Essentially, any website that has traffic coming from Europe will be impacted. So, if your business is located in the U.S. but you process and store the personal data of individuals residing within the EU, the GDPR still applies to you. As you can see, the impact of this regulation will be far-reaching.
The core purpose of the GDPR is to protect the rights of data subjects from privacy and data breaches. Therefore, compliance hinges upon the following:
- Privacy by design – This revolves around building systems and digital infrastructure from the ground up that have privacy in mind.
- Getting consent from data subjects – The process should be simple and clear.
- Notifying data subjects of a data breach – This must be done within 72 hours after a breach has occurred.
- Right to access – Your company must provide affected individuals with a copy of their personal data free of charge. Doing so is intended to increase transparency and empower data subjects.
- Data erasure – Individuals have the right to have their personal data erased or have third parties cease from processing their data.
You can learn more about the full scope of compliance through this resource.
With the GDPR’s impending implementation just around the corner, businesses need to be serious about preparation. According to a survey by TrustArc, many companies are still a long way off. Of the surveyed companies:
- 61 percent said they have not started the process of GDPR implementation
- 23 percent said they have begun implementation
- 11 percent stated their implementation is “well underway”
- 4 percent claimed to be fully compliant with the GDPR
Not only is there a lack of preparation, but many companies aren’t even aware of the GDPR and what it will mean for their business practices. A survey by Dell last year found that over 80 percent of organizations knew only a few details or nothing at all about the GDPR.
Just think about the implications of a major data breach and the disastrous consequences it could have for your company. Data security needs to be a top priority for all companies moving forward, and organizations would be wise to be more diligent than ever about keeping information secure.
This starts with being selective about the data you choose to store. Decide what truly needs to be archived and what can be discarded – and what information you actually should be collecting in the first place.
Next, establish a set of policies and procedures for handling data.
- Where will data be stored?
- How long will it be stored?
- Who will have access to it?
- What type of security controls will be utilized to protect the data?
Establishing and enforcing strict policies and procedures for handling data will help your company follow the security measures needed to comply with GDPR regulations, and help protect customers’ personal data against data breaches.
There are several other steps you can take in order to prevent information from falling into the wrong hands. For example:
- Upgrading physical security (e.g. using biometrics and CCTV)
- Educating staff (about 80 percent of all breaches have a root cause in some type of employee negligence)
- Developing strong passwords and changing them every 90 days
- Using encryption
- Using multi-factor authentication
- Performing routine penetration testing to identify vulnerabilities in your website, network, etc.
- Creating parameters on who can access critical data
- Creating mobile device security policies (e.g. using data wiping tools if a device is stolen)
The GDPR gives individuals the right not to be tracked unless they consent to it. As such, it takes away the ability of tags to track user activity without users consenting in an explicit manner.
This creates a major obstacle for companies, since they won’t be able to seamlessly collect user data like they used to. As a result, the GDPR actually regresses much of the technology that has evolved over the past few years.
Once the GDPR goes into effect, users can choose whether or not they accept being tracked by cookies once they land on a site. This creates a considerable burden for many marketers when attempting to collect user data and monitor analytics.
For instance, tracking CPM and CTR in AdWords isn’t possible without cookies. This will have a huge effect on marketing and analytics, and will make it more difficult to generate the data that you’ve been accustomed to up to this point.
With less than six months to go before the GDPR is enforced, time is definitely of the essence. In addition to bolstering data security as outlined above, you should implement a tag governance policy to define accepted behavior and monitor your tags.
A tag governance policy helps you in four critical ways:
- It establishes an organizational structure
- It develops processes and compliance
- It allows you to effectively monitor your data collection, while simultaneously measuring tag performance in real-time
- You can receive alerts on any issues that pop up for swift remediation
In turn, you can ensure that you have a deep understanding of and full transparency regarding everything that’s loading on your site. This way, you can make sure there are no unauthorized third parties that could put you at risk of non-compliance.
This has arguably never been more important than it is right now with the GDPR coming into effect. Businesses with a strong tag governance policy not only protect themselves from serious fines, but they can also preserve their brand reputation and keep it intact. With 91 percent of North American consumers reading reviews about a company before doing business with them, having a positive brand reputation is essential.
A strong tag architecture can also give your organization a huge competitive advantage once the law is rolled out. Establishing trust and a solid opt-in experience is huge because it allows you to make data-driven decisions. For example, if you’re able to get 70 percent of visitors to opt in, and your competitor is only able to get 10 percent, you’ll have a tremendous advantage.
A platform like Tag Inspector is ideal for auditing and monitoring your tags. Staying on top of this gives you better insight into tag behavior to better understand your customers’ behavior and creates a revenue-generating advantage.
The concept of data regulation is nothing new, but the GDPR marks a major overhaul and is a clear reminder that organizations must take data security seriously. Failure to do so can result in steep fines and a tarnished reputation.
This law will usher in a new level of data transparency and governance that impacts any business that processes and stores personal data of individuals residing within the EU – so it’s truly a global initiative.
That means there will be some significant changes for marketers in 2018. It will change the way you’re able to collect data and makes the process more onerous, so beginning to prepare now is crucial.
By revving up your data security and implementing a tag governance policy you should be able to generate more data than most competitors, while at the same time keeping that data secure. In turn, this creates a significant advantage and puts your organization in a favorable position moving forward.
Do you feel that your company is adequately prepared for when the GDPR goes into effect? Please share your thoughts in the comments below.
The materials are provided AS IS without any warranty and InfoTrust, LLC disclaims all warranties, express and implied, regarding these materials. The information contained in these materials was prepared for general informational purposes and it is not intended to provide legal advice. Before applying any of the information to your situation, you should consult your legal advisors.