2018 sees the introduction of a new law after a 2 year transition period. The General Data Protection Regulation will have an impact on any companies selling into any European Union country (regardless of their location). These rules have teeth and the full weight of the European Court of Justice behind them. Failure to comply could result in fines of 4% of global turnover or €20 million.
Given the size of the EU market (and the undesirability of having different versions of a product for different regions), many companies will make it their default as well.
A key aim of the new rules is to establish a common standard across all EU markets, and the focus is on how companies obtain and store data and what they can do with it. The EU says it is about giving consumers control over their data. This has lots of profound implications but I would like to highlight 3 specific items in this post.
Where you software is physically located will matter far more in 2018
Many products and services now run on the cloud or the data centers. The exact location is going to matter far more as Companies show they are complying with these rules by keeping data in the EU or avoid being impacted by these rules if they are otherwise not linked to the EU markets. Location is already becoming a politically complex issue with several governments seeking potentially more power over their access to data while seeking to reduce the potential of other states to access data.
You can make far more limited assumptions about permission in 2018
Client Data security is going to be much more important
A key requirement of the new laws is to ensure data is kept securely, so that even if main systems are hacked, the data is not easily obtained. There have been too many embarrassing cases where hackers broke into systems and took easily accessible information which was not secured. So more and more systems are going to use Strong encryption as standard in all systems to ensure all data is secure.
This is actually the reason behind the theme of this months blog post on security and encryption.
The PDF file specification already offers the option to encrypt PDF files using AES encryption. At IDRsolutions we are extending this to ensure that any local data our software creates (cached copies of images from PDF files, etc) will be heavily encrypted as default if the user gives us a password. Without the password (which we never store and the user provides), any local data will be encrypted garbage. This will help our customers to ensure they are meeting the new requirements.
How are you getting ready to meet the challenges of the new regulations?