Sep 12, 2018 6:35:31 AM by John Pocknell
Written by John Pocknell and Colin Truran.
As a DBA, I’m sure you are probably aware by now there’s been a lot of recent coverage around data breaches and access to personal data. You may also have heard about the new GDPR (General Data Protection Regulation (GDPR) legislation that went into effect on May 25th this year.
The maximum penalty for non-compliance is 4% of annual revenue or €20 million, whichever is higher. Lower fines of up to 2% are possible for administrative breaches, such as not carrying out impact assessments or notifying the authorities or individuals in the event of a data breach. This puts data protection penalties into same category as anti-corruption or competition compliance.
You might be asking yourself, so what do I need to know and how do ensure our business is protected?
The first thing you need to consider is one aspect of GDPR called “Privacy by Design”. This requires a fresh look at how you should design your systems with data privacy as a priority. This starts with data discovery. How do I know what data in my databases is “Personally Identifiable Information” or PII.
Our own (UK based) Principal Technology Strategist and GDPR expert, Colin Truran, sets out some of the background to GDPR and what it should mean to US companies.
In future blogs, we’ll get into some of the detail of what this means for DBAs and what they should start doing now to ensure the protection of their company’s data.
Over to you Colin….
I thought I would dedicate this blog to one topic that keeps coming up: “As a US business or government organisation, does GDPR affect me?” However, even if you are not based in the United States, I encourage you to continue reading, as the same challenges, restrictions, enforcements and opportunities still apply around the world.
What people are really asking is whether the EU’s new teeth can be brought to bear outside of the EU, and in particular, what influence could it possibly have against an economical giant such as the US. Why should organisations listen, take notice or even be slightly worried? The answer for many small organisations that only trade within the US and have no interest in employing or dealing with any EU citizens data is going to be pretty simple. However, unless you can be absolutely sure that you will not hold, receive or pass through data by any means regarding an EU citizen, no matter where they actually live, then you may need to be a little more attentive.
So let’s try to answer the first question, can the European Union impose a fine or penalty on a US or otherwise external organisation? The simple answer is yes, although the extent of the penalty and how it is enforced will be dependent on many factors, such as:
But yes, the simplest way for the EU to impose a fine or penalty on a non EU-based company is to use local data protection regulations. Increasingly, GDPR is being seen as the standard model for other countries, so you may find yourself subject to local rules based on GDPR compliance principals that impose even greater restrictions and penalties. In other countries, the primary route for ensuring compliance and enforcement will come from the Data Protection Authority. However, a DPA does not exist in the US. The closest equivalent that has jurisdiction over most commercial organisations is the Federal Trade Commission (FTC), as well as a state attorney’s office, which have similar authority over other areas.
The real question is how far does the US Department of Commerce want to go to avoid trade embargos and impediments? We have already seen that the US-EU Safe Harbour self-certification program “PrivacyTrust”, formally “eTrust”, fell short of required European Commission requirements and has been replaced by Privacy Shield. In the meantime, this forced cloud providers to establish data centres and data policies that favour the EU territories. There is also an underlying desire by governments to protect its citizens and organisations wanting to be taking a moral stand on how personal information is handled and used. On many occasions, we have heard that the European Commissions’ data protection and data privacy policies are leading the way for the rest of the world. We also need to note that many countries have stronger regulations within their own boarders that need to be adhered to. So the practical upshot is that US companies will be under pressure to adhere to GDPR requirements if they wish to trade with or pass data through the EU, and this will be backed up by a desire to make sure any failures will be enforced by the US government in a desire to prove itself as a desirable platform for ecommerce.
It is important to remember that you will be competing both as a country and as a business against those that handle personal data to the high standards laid out by GDPR. Companies that have a strong moral compass and verifiable good data practices will do well as we move into this new era of ethical e-commerce where individuals have the ability to choose to be adequately protected.
For more information and resources on GDPR, please click this link.
Written by John Pocknell
John Pocknell is a senior product marketing manager at Quest Software. Based at the European headquarters in the U.K., John is responsible for the go-to-market strategy for the Toad portfolio of products worldwide. He has been with Quest Software since 2000, working in the database design, development and deployment product areas. John has spent over 17 years (including 12 years in Product Management) successfully evangelising Toad to customers at various conferences and user groups around the world and he writes blogs and produced many videos on the Toad user community, Toad World as well as technical papers about Toad on the Quest Software website.
John has worked in IT for more than 30 years, most of that time in Oracle application design and development. He is a qualified aeronautical engineer with more than 10 years of experience in provisioning IT consultancy services and implementing quality assurance systems to ISO 9001.