From its definition of a data breach to the size of the punitive fines it has the power to levy, the GDPR radically transformed the compliance landscape in regard to the collection and handling of sensitive personal data. Instituted by the European Union (EU), the GDPR affects any company that does business with citizens living under their jurisdiction. This includes American companies which need to comply with the standards of the GDPR when conducting business in Europe.
Data Privacy in the United States
Currently, there is no equivalent overriding privacy law in the United States. That might be seen as a good thing by some, as the burden of compliance is less stringent than with the GDPR. So are the potential fines, which can be up to 4% of a company’s annual global turnover. Fines of this magnitude go far beyond a slap on the wrist and can be financially crippling to an enterprise.
This could all be changing in the not too distant future. Some states, most notably California, are pushing ahead with enhanced data protection legislation. The state’s Consumer Privacy Act of 2018 contains similar provisions to the GDPR. It will go into effect on January 1, 2020, and impacts companies that hold data on more than 50,000 Californians. Some critics claim that the approval process was rushed, but other states are now moving in the same direction.
Allowing individual states to set their own privacy standards threatens to create a more complex environment for businesses to successfully navigate than if the Federal Government instituted their own privacy laws. This is spurring some industry leaders to lobby for federal statutes similar to the GDPR to be developed. The coming months and years are sure to see a change in the way personal data is required to be handled in the United States.
Why the GDPR Model is Different
One of the most important additions to personal privacy regulations that are incorporated into the GDPR is the ability of individuals to exert control over how, where, and if their personal data is used. In order to adhere to these guidelines, a person must be able to opt-in to any attempts to collect personal data about themselves. This is the complete opposite of the current practice in America where, if you are lucky, you may get a chance to opt-out of data collection. Implementing this feature will require many applications to be reworked to some degree.
Along with having to opt-in to allow data collection, under the GDPR or similar regulations adopted in the U.S., a person has the right to see what data an organization is keeping on them. They can also demand that their personal data be deleted and that references to them are totally removed from the data collection system. Verification that the deletion has occurred, as well as reports on how an individual’s data is being used, are further requirements that will complicate the lives of DBAs working with personal data.
Tools for GDPR Preparedness
With the specter of an American GDPR type of privacy directive on the horizon, it’s time to think about how you would deal with the heightened level and focus on practicing and verifying compliance. You will need to be well-armed with the proper tools in order to successfully maintain compliance and pass audits designed to test your procedures.
One tool that can go a long way toward keeping your company on the right side of data privacy laws is SQL Compliance Manager. It provides the capability to monitor how your data has been collected as well as how it is being used and who is accessing it. These are all factors that need to be verifiable in the case of an audit, and the application can easily generate reports to be used as evidence. It employs a lightweight data collection agent that will not negatively affect your servers. The tool also lets you monitor for suspicious activity and generate timely alerts.
SQL Compliance Manager is just one of the products offered by IDERA to help your organization operate in a new data privacy environment that includes GDPR as well as new, domestic regulations that are sure to come. Failure to be prepared can lead to negative financial implications for your company and, by extension, for you as well. Don’t let that happen!