Updated: Apr 13
Before the existence of GDPR, companies across the globe were relying on a cluster of laws and standards when it came to their customers’ data. A security/compliance professionals day job is to deal with regulatory acronyms be its specific industry, federal, state and local mandates and standards. Companies are to comply with the standards of the industry they are work in.
GDPR provides better guidelines on keeping customer data secure. One good example of the effectiveness of GDPR is how it tamed tech giants like Google and Facebook. A survey conducted by the Forrester Research showed that the majority of US adults (61%) are concerned about sharing their data or online behaviours to companies.
Non-EU countries and states have also been influenced by the existence of GDPR and have made updates and new legislation in their privacy laws. One good example is the state of California passing California consumer Privacy Act of 2018 which will be effective in 2020 – the strictest privacy law in the US by far.
These mandates are the first baby steps before we can finally have a global regulation of privacy law. But, this only means that the compliance landscape will be more complicated from then on and will not be fixed with a single solution. There are however steps that companies can take to prepare should this happen in the near future: Defining data is necessary.
Companies need to comprehend the specific storage and trace the path it takes the second their customer's data enter the system. Know where it goes, how much do they (companies) have, how long will they store their customers’ data.
Always prepare for the worst.
. Security measure should be in place to ensure that attacks can be prevented AND if the data were to be stolen, would there be an acceptable use case for you to have stored this particular information from your customers? If you’re doubting whether you should keep the data or not, then it’s best you don’t.
Constantly train your team
Never neglect the importance of regularly training employees on basic security procedures like constantly changing passwords and looking out for potential attacks. Define the policy of your companies and be strict about it because in many cases, an inside job is pointed out to be the cause. To control this, limit data access to the people who will need the data.
Rid your company of any unnecessary PII
If you deem that data is not required, then remove it. That way, you’d lessen your chance of being preyed on by cybercriminals. If a company wants to store PII data for a longer period of time for future research use, remove personal identifiers like names and addresses of these users.
Preparing for a possible worldwide privacy law will be a lot of work for these companies, but this will be the best step in protecting users in this age of the internet. The best way for these companies to prepare for when that day comes is to prepare as soon as possible and anticipate its arrival.