GDPR: Opportunity or Threat?
Once upon a time, anyone with a text editor and a server could toss together an Internet shopping cart and start collecting credit cards. Novelties like encryption and access control were optional. It was the digital wild west. We all suffered, like innocent bystanders stuck in a hacker shootout.
Security breaches exposed identities by the millions. Target, Home Depot, Sony, and others make a "who's who" list of corporate hack victims. In response, the Payment Card Industry (PCI), a consortium of payment processors, banded together to create security standards for merchants. These standards came with hefty fines for violators and eventually created an Internet culture where payment security is finally a high priority.
The European Union (EU) recently passed the General Data Protection Regulation, commonly known as GDPR. This set of regulations is similar to PCI, but with some notable major differences. Unlike PCI, GDPR was created by a government entity with more far-reaching legal authority than a corporate consortium. Also, where PCI focused on payment processing security, GDPR has a broad scope which covers all manner of Personally Identifiable Information (PII). PII is personal information, such as a name or social security number, used to identify and distinguish between people.
The regulations have shocked the digital world; indeed, GDPR grants the Data Protection Authority the power to fine violators up to 20 million Euro or 4% of annual turnover.
Some have noted the regulations protect only EU "Data Subjects," yet this limitation in scope is not at all a free pass to American firms. An EU Data Subject is any EU citizen, regardless of their place of residence or physical location.
Others have questioned the legal authority of the regulations—how could a regulation passed in Europe exercise any control over a company based in the United States? But US-EU trade agreements give each government legal authority to issue judgements when corporations or citizens violate laws, so GDPR is nothing new in this regard.
One might argue that the definition of PII can mean many things to many people. While true, that point of view fails to exempt one from GDPR, which has a specific and clear definition of what constitutes PII. In the USA, an IP address is generally not considered PII, while it is considered PII under GDPR.
Much like PCI, GDPR mandates a combination of technology and policy to keep PII safe. GDPR establishes rules about the methods used to capture data, the notice you give to data subjects, the ability for data subjects to see and erase their data, who can access the data, and what needs to happen when the data is hacked – just to name a few.
Before PCI, the web was a more dangerous place. Although PCI created quite a burden for merchants, that burden ultimately proved worthwhile. Thanks to PCI, the web is a safer place to make payments today. In the same way, GDPR- gives all of us an opportunity to step up and make the web better.
Fortunately, Smooth Fusion is equipped to use tools provided by Microsoft and other technology partners to help our clients achieve GDPR compliance (check out our GDPR Plan). Azure, SQL Server, Office 365, and other Microsoft technologies give developers powerful tools to fulfill the GDPR regulations and ultimately give our customers a safe, secure experience.
Smooth Fusion is a custom web and mobile development company and leading Progress Sitefinity CMS Partner. We create functional, usable, secure, and elegant software while striving to make the process painless for our customers. We offer a set of core services that we’ve adapted and refined for more than 250 clients over our 18 years in business. We’ve completed more than 1800 projects across dozens of industries. To talk to us about your project or review our portfolio, send us a message and one of our project managers will reach out to you quickly.