PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

10 Implications of the New EU General Data Protection Regulation (GDPR)

EU GDPR Training General Data Protection Regulation

EU Flag EU Privacy TrainingLast week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries.  Clocking in at more than 200 pages, this is quite a document to digest.  According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”

The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year.  It will has substantial implications for any global company doing business in the EU.  The GDPR is anticipated to go into effect in 2017.

Here are some of the implications I see emerging from the GDPR as well as some questions for the future:

1. Penalties and Enforcement

Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.”  Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.”  The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”

These are huge penalties.  Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO).  Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling.  The CEO will stand up immediately and say: “Excuse me, but I must take this call.  It’s my CPO calling!”

EU Privacy Training Money

To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent.  Will the new GDPR change enforcement?  With such huge fines, the payoff for enforcement will be enormous.  We could see a new enforcement culture emerge, with more robust and consistent enforcement.  If privacy isn’t much of a priority of upper management at some global companies, it will be soon.

Continue Reading

New Resource Page: Privacy and Security Training Requirements

Privacy and Security Training Requirements 02

by Daniel J. Solove

I have created a new resource page for the TeachPrivacy website: Privacy and Security Training Requirements.

Continue Reading

Why We Should Persuade and Train with Stories

title image

By Daniel J. Solove

 

Once upon a time, there was a teacher who wanted to train people. At first, the teacher stated a list of things to do and not do. But this had little effect. The teacher was upset and started to doubt whether he could ever get through to people. But then the teacher tried a new approach – using stories. People remembered the stories, and the training started to change people’s behavior. And the teacher and everyone he taught lived happily ever after.

Continue Reading

Burn Before You Learn or Learn Rather than Burn

title image

By Daniel J. Solove

It seems as though every week brings news of another batch of data breaches . . . and they’re getting bigger. Target. Home Depot. Sony. Anthem. The list goes on and on.

The costs of many of these breaches are devastatingly large. And yet most data breaches are readily preventable. After reviewing more than 1,000 data breaches from 2014, the Online Trust Alliance (OTA) found that more than 90% of them could have been avoided.

Continue Reading

The $500,000 Value of Data Security Awareness Training

data security awareness training

by Daniel J. Solove

It has long been difficult to quantify the ROI of data security awareness training.

But finally, I have been able to locate a number. According to a 2014 PricewaterhouseCoopers study: “The financial value of employee awareness is even more compelling. Organizations that do not have security awareness programs—in particular, training for new employees—report significantly higher average financial losses from cybersecurity incidents. Companies without security training for new hires reported average annual financial losses of $683,000, while those do have training said their average financial losses totaled $162,000.”

Continue Reading