We’ve been seeing a lot of headlines around Europe’s GDPR, but what is it and how does it impact organisations outside the EU? Also, if you think GDPR only has an impact on businesses in Europe, think again.
Identity theft is on the rise. Personal information, from credit card details to copies of passports, are precious to criminals. The 2017 Identity Fraud Study by Javelin Strategy & Research found that US$16 billion was stolen from 15.4 million U.S. shoppers in 2016, compared to $15.3b and 13.1m victims the year before.
Similar growth is seen in the rest of the world, according to a report from Risk Based Security. A total of 4,149 confirmed breaches exposed more than 4.2 billion records, approximately 3.2 billion more exposed records than in 2013.
The EU has been working hard to turn the tide and to homogenise privacy protections within the EU. Enter the GDPR (General Data Protection Regulation), a regulation by which Europe intends to unify and strengthen data protection for all citizens and residents of the European Union (EU).
The GDPR aims mainly to hand back control over personal data to residents and citizens of the EU. Besides aimed at organisations handling personal data within the EU, the GDPR also addresses the export of personal data outside the region.
The countdown is towards 25 May 2018. This is when the GDPR becomes enforceable in all European member states.
Because it is a regulation and not a directive, it does not require national governments to pass any enabling legislation. It will be there, and there will be no way around it.
Astronomical fines under the GDPR
In 2016, the UK Information Commissioners Office (ICO) fined local companies £880,500 for infringing actions on citizens/residents’ personal data. According to analyses done by the NCC Group, these fines would have been £69m.
The £400,000 fine that TalkTalk had to cough up would be £59M under the GDPR. These astronomical fines would be enough to put most companies out of business.
The goal of these fines is to entice better cybersecurity, and it has gotten the attention of many boards of EU organisations. But what’s a possible impact on non-EU organisations?
Regulatory conflicts
Various non-EU practices, laws and regulations conflicts with the GDPR. Think about surveillance laws passed in many Anglo-Saxon countries (Five-eyes).
These would bar information on EU citizens to be stored or processed by organisations falling under such legislation. A way around this is to set up shop within the EU, but depending on the size and the dependence on EU trade, this might not be a viable option for most companies.
Data portability for global organisations
If you are running a large social network or global e-shopping site, you collect and process a lot of information of your members. The GDPR will effectively make it illegal to synchronise this data to other points on the planet, should it cross EU borders during the transfer.
This new requirement will have a major impact on the architecture of such networks, requiring large investments to attain compliance. Should a cybersecurity incident occur, non-compliance could lead to the astronomical fines mentioned above.
EU cybersecurity budgets impact on non-EU organisations
One impact for non-EU companies comes from the “lowest hanging fruit” premise, where burglars aim for the easy targets first. When the EU will have relatively strong defences in place due to the GDPR, cybercriminals will flock to easier targets outside the EU.
Putting these defences in place, monitoring them, and appropriately responding to security incidents requires quite a workforce. There are a lot of skilled cybersecurity professionals needed for this, and there is already an impressive shortage of cybersecurity professionals across the globe, with a shortage of two million estimated by 2019.
Due to higher budgets, wages will also follow this trend. It is expected this will attract a lot of cybersecurity talent to move to the EU, depriving non-EU countries of these valuable resources.
The future
The GDPR has a major impact across the globe. International trade will be affected, and cybercriminals will move their activities to easier targets.
To level the playing field, the GDPR will encourage other nations to draft similar regulations within the next few years. In order to not fall victim to cybercriminals, cybersecurity will need to be put high on the agenda in non-EU organisations.
The risks associated with system vulnerabilities are substantial. Instead of waiting for your information to be exploited, systems corrupted and brands damaged, you can take the initiative and protect yourself.
We can provide you with in-depth reports into weaknesses that attackers could exploit in your specific system. With this valuable insight, we can then help you secure your systems in the areas of development, use and infrastructure.
Visit our Security Testing section to find out how we can close these loopholes for you.