Posted on 02/15/2018 9:39:34 AM PST by MeganC
Companies around the globe are scrambling to comply with new European privacy regulations that take effect a little more than three months from now. But many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats.
On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires technology companies to get affirmative consent for any information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.
(Excerpt) Read more at krebsonsecurity.com ...
GDPR’s main “problem” is the right to be forgotten. In this requirement, a EU citizen can request that they no longer be recorded as a customer.
Compliance is simple in concept, often difficult in deployment. It can be complied with by using a double blind account number or hash of account ID. However, most software is not set up to enable this service. It will take some substantial investment to fix.
The good news is that the GDPR does allow exceptions where the government has a requirement for records retention. Thus an enterprise in the US could assert that the IRS tax records retention policy (7 years) gives them some breathing room.
However, companies should start looking into this and in particular, what changes to their data structures and databases would be required to comply in the future.
https://www.eugdpr.org/
"The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location."
The problem with that position is the enforcement. Suppose a US company does business with EU citizens, say a EU citizen living in NY city and opts to bank with a US bank.
EU would like to apply GDPR to that bank. However, what vehicle do they have to enforce? If they sue in a EU court, the US firm can ignore the ruling as they do not reside in the EU. If EU attempts to enforce via US Courts, GDPR is not the law within the US so again, the enforcement arm fails.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.