New EU data protection legislation will challenge U.S. IT execs

The EU has agreed upon a radical set of data protection rules. What does it mean for U.S. IT execs? Also in Searchlight: Apple has a new COO; Republican candidates fumble on tech knowledge.

Three years into a major overhaul of data protection law, European Union (EU) officials are hoping they have finally gotten it right -- they'll just have to wait two years to find out.

This week, the EU made public a draft of the General Data Protection Regulation (GDPR), its new set of landmark data protection rules that will go into effect in 2018 -- and that are expected to have a profound effect on the digital marketplace.

Equivalent to a federal law in the U.S., the GDPR is an EU-wide legal framework that sets stricter and more comprehensive standards regarding data sharing, collection and privacy. Highlights include tougher data consent requirements, an expanded right to be forgotten, the right to be informed when you've been hacked, increased data portability and a boosted age of consent from 13 to 16 years old.

"GDPR is a huge step forward toward making data protection law appropriate for the digital age," said Duncan Brown, research director at IDC. "It replaces existing law that predates Google, cloud and the Internet of Things."

The main objectives of the EU data protection legislation are to address the rapid advancement of technology and create a single, unified digital market to simplify business operations in Europe. Analysts will continue to sift through the 200-plus-page document to evaluate its effectiveness, but Jeffrey Ritter, a frequent contributor to TechTarget and an external lecturer at the University of Oxford, is impressed.

"Its importance is underlined by the EU's broad commitment to a digital strategy for ... a unified, single market across all of Europe," Ritter said. "On both sides of the Atlantic, the GDPR may be one of the most influential pieces of legislation for international trade that we've seen in some time."

Ritter sees the new regulations as an important step toward building digital trust and a win for consumer privacy.

"Anytime we can create standardization in the rules across a wide sector of commerce, trust is enabled, because everyone is playing by the same set of rules," he said. "It is a step in the right direction for privacy, because it creates a broader foundation of uniform rules for how corporations, government and data subjects interact with regards to digital information."

Global implications of GDPR

The standardized regulations will impact more than just European nations. Thanks to an extraterritoriality clause, even a company or service provider with no physical EU footprint still has to comply with the EU data protection legislation if it processes EU citizens' data, Brown said, making it of global concern.

That means CIOs and IT executives in the U.S. whose companies do business globally need to prepare themselves and their companies for the official enactment of GDPR in 2018, Ritter said. But getting there won't be easy -- or cheap.

"When there are changes as substantial as the GDPR ... these introduce enormous challenges to any company, regardless of its home base, to modify its systems, its devices, its processes, its controls, its human resource training and its business relationships," Ritter said.  "But for U.S. companies, it's a huge challenge, because it adds infrastructure and expense for what represents, for many of those companies, a secondary market."

Adding to the pressure, companies that fail to comply will have to cough up a pretty penny. In accordance with this EU data protection legislation, noncompliance could result in fines as high as 4% of a company's total revenue -- a move that illustrates the determination of EU officials in achieving their vision of a unified and protected digital market. The best response for IT executives, according to Brown, is increased vigilance.

"GDPR is a game changer in terms of what is expected of enterprises," Brown said. "Alongside the headline requirements of consent, data portability, data transfers and so on, we have an obligation to demonstrate compliance. The idea that compliance is something you achieve on an annual basis won't be good enough: Enterprises have to demonstrate continuous compliance, all day, every day."

U.S. IT executives are struggling to know which playbook of rules they should follow, particularly when, at other levels of corporate strategy, the objective is to minimize government regulation.
Jeffrey Ritterdigital information expert

How will companies incorporate these new rules into their IT infrastructure? For U.S. IT executives seeking to tailor data collection, retention and privacy practices to these European rules -- while also hewing to the profit mandates of business-minded boards of directors -- there is no quick fix, Ritter said.

"U.S. IT executives are struggling to know which playbook of rules they should follow, particularly when, at other levels of corporate strategy, the objective is to minimize government regulation," he said. In the long haul, however, an agreed-upon set of rules will ultimately help the bottom line, he argued.

"Ultimately, companies incur expenses when the rules of the game are not standardized. And for IT executives, their challenge is that it's very hard to explain to the board of directors that the irregularity in the rules is actually handicapping the company," Ritter said.

"Lots of U.S. companies were surprised and concerned by the recent Safe Harbor invalidation," Brown said, referring to the recent invalidation of a data agreement between the U.S. and the EU. "Safe Harbor was just an appetizer: GDPR is the main course."

CIO news roundup for week of Dec. 14

Here is more technology news from the week:

  • One thing we learned from this week's Republican debate: GOP candidates have some homework to do on the world's premier communications channel. "I would certainly be open to closing areas [of the Internet] where we are at war with somebody," Trump said during the debate. "I sure as hell don't want to let people that want to kill us and kill our nation use our Internet." Unfortunately, he didn't elaborate on the illogical logistics of "closing" the Internet in those regions of the world, or what he means by "our Internet." Wired has some educated guesses as to the meaning of Trump's and other candidates' statements around the topic of technology.
  • Apple's making some changes to its executive team. The company named longtime employee Jeff Williams the new COO of the tech giant, a position that has been formally vacant ever since Tim Cook made that coveted transition from COO to CEO in 2011. Also announced: Philip Schiller, senior VP of worldwide marketing, will expand his duties to manage Apple's App Store, according to Fortune.
  • One thing most smartphone owners can agree on: The battery life leaves a lot to be desired. Smartphone maker Oukitel changes that with its new Android K10000, which can last 15 days on a single charge and without a battery case. The device is available for preorder online for $240, according to ZDNet. Will other phone makers follow suit?
  • Linux is joining with some of the biggest tech companies, including Cisco, IBM and Intel, to tap the potential of blockchain technology -- a global record-keeping system. The goal? Blockchain could help companies better manage transactions, let manufacturers share production logs with OEMs and regulators to reduce product recalls, help governments make public records more available and allow systems to track individual device transactions.

Check out our previous Searchlight roundups on whether tech giants should join the fight against terrorism and how HBR's IT team won a seat at the table using Agile.

Next Steps

How to stay compliant in a post-Safe Harbor world

What the EU data protection legislation means for cloud providers

Dig Deeper on Risk and compliance strategies and best practices