U.S. & APAC Companies Pay Attention: The GDPR Deadline Looms for the EU

With Facebook under scrutiny for sharing users’ data with third-party data brokers, more internet users are questioning the privacy of and access to their personal information. European Union businesses and citizens have been concerned since at least early 2012 when the proposal for General Protection Data Regulation (GDPR) was released. The official GDPR regulation was adopted by all member states and the European Parliament in 2016. Beginning May 25, 2018, any organization that has a presence in an EU country or houses the personal data of EU citizens will have to comply with the GDPR standards.
GDPR also pertains to any businesses that:

• Has operations in the EU
• Is doing business with an EU company or a US company that has operations in the EU
• Has any level of data involvement with EU companies

The penalties for GDPR non-compliance are severe. Should North American or APAC businesses be concerned?

What Lead to the GDPR Proposal?

Until the 2012 proposal, countries in the EU had their own regulations due to each individual nation’s interpretation of the Data Protection Directive from 1995. The patchwork of inconsistent rules caused organizations to rely on additional resources to comply with different national procedures and laws, especially as more data was collected in the decades since.

Although each nation had its own data protection laws, the enforcement of those laws was negligent. EU businesses were given security guidelines to follow and were self-regulating, but PwC’s 2018 Global Economic Crime and Fraud Survey states that only 54% of global organizations have conducted a fraud assessment in the past two years. One in ten had not performed any type of risk assessment in the same time frame.

With the implementation of GDPR, the EU market will save an estimated 2.3 billion euros or $2.85 billion every year. However, they are also held liable for data security and fraud protection.

What Does GDPR Require?

GDPR sets minimum standards for data protection for any business that:

• Has a presence in any EU country or
• Processes personal data of EU citizens

GDPR compliance applies to any business that:

• Has 250 or more employees or
• Processes sensitive or large amounts of personal data

Personal data is defined as any PII or personally identifiable information such as name, identification number, location data, email address, photographs, social identity, economic status, physical abilities or anything that refers to that individual.

Users have specific rights under the GDPR including:

• The right of transparency including clear data consent forms, which data is being collected, access to that data and how it is being used
• The right to rectify inaccurate data
• The right to be “forgotten” including withdrawing consent and deleting all personal data from a business
• The right to object how the data is being used
• Data portability to transfer data between companies upon request

Companies must report data breaches within 72 hours and specify the number of exposed records, the types of data breached, what has been done to address the breach and mitigate any adverse effects, and the consequences of the breach.

Companies must also perform assessments to identify and address the risk of fraud or breaches. If the organization meets any of the requirements of 250 or more employees, processes highly sensitive or large amounts of EU citizen data, regularly collects or monitors data subjects or are a public authority, they will need to hire a data protection officer to oversee compliance.

Depending on the type of non-compliance, penalties could be from 2% or 10 million euros  up to either 4% of the business’ annual global turnover(based on the previous fiscal year) or 20 million euros.

How Will Companies Comply with GDPR?

The penalties and stringent requirements of GDPR have organizational leaders worried about compliance by the May deadline. Although the regulation was adopted by the EU, global organizations could be at risk for punitive fines. Over 70% of U.S. businesses have begun preparing for GDPR and have spent $ 1 – 10 million to prepare. Some businesses have opted to reduce their EU presence temporarily until they meet GDPR standards.

Companies can prepare for GDPR compliance by:

• Documenting what data is collected, who has access, and where it is stored
• Creating rules and processes for data access and use
• Building security controls for protecting data
• Establishing protocol for responding to data breaches
• Assessing the risks of data fraud and GDPR non-compliance

How Can NEC Help?

GDPR compliance challenges are prompting business leaders to lean heavily on their technology partners for solutions. A provision within the data protection regulation is “privacy by design” which requires technology solutions to natively build in data security from the onset. The good news is that NEC has a robust data platform that is built to secure data and help make data manageability easier: NEC HYDRAstor.

HYDRAstor offers a scalable and customizable platform for small-to-medium and enterprise businesses, including the ability to upgrade with no disruptions and expand to almost unlimited data growth.

NEC’s erasure-coded resiliency eliminates a single point of failure, keeping data protected and secure on HYDRAstor’s grid architecture. Erasure coding distributes data across the storage grid, so disk or node failures don’t disrupt the availability of data. Data resiliency automatically rebuilds only bad sectors, enabling a faster disk rebuild than traditional RAID.

HYDRAstor’s encryption technology protects data from unauthorized access to lost or stolen disks by encrypting data prior to being written to disk. Data that may need to be classified can exist in the same system as unclassified data due to HYDRAstor’s Write-Once-Read-Many (WORM) capability for regulatory compliance.

NEC’s HYDRAstor backup partners such as Veritas, Veeam, Commvault, and more, are also preparing for GDPR compliance, offering simplified management interfaces for data protection managers.

Concerns about data availability, security, and the deletion of user’s personal data can be handled seamlessly with NEC’s HYDRAstor. To learn more about NEC HYDRAstor, visit www.necam.com/HYDRAstor.

In a dynamic and global economy, our experts anticipate that GDPR compliance will be universally adopted in the near future.

If your company has presence in any EU country, please contact us today for a complimentary consultation on your data storage and security requirements.