Understanding GDPR Through the Lens of Sarbannes-Oxley (SOX)

Understanding GDPR


The European Union (EU) General Data Protection Regulation (GDPR) is coming into effect on May 25, 2018, and for many companies, the challenges presented by this new regulation may be reminiscent of the USA’s Sarbanes-Oxley Act (SOX) from the early 2000s. Just like GDPR, SOX was designed to increase data transparency, and just like GDPR, it had a global effect, including on many companies outside of U.S. jurisdiction.

When the Sarbanes-Oxley Act was first introduced, the US government created an aggressive timeline for its deployment and enforced hefty fines for non-compliance. Some sections of the law covered responsibilities of companies’ boards of directors and required the Securities and Exchange Commission to create a new watchdog to monitor compliance.

SOX was enacted as a reaction to the Enron and WorldCom corporate accounting scandals and was designed to enforce transparency of accounting transactions. It stopped companies from abusing customers’ trust, helped to improve competition, and provided a functional accountability mechanism. Thanks in part to regulations like SOX and the 1995 EU Data Protection Directive, which GDPR is replacing, companies have a better handle on privacy impact assessment and data access governance.

While there are no major scandals that triggered GDPR, it has a similar purpose: to increase transparency and protect the rights of users. The GDPR will enforce the deployment of many common-sense data security measures (like regulating commercial and government collection of personal data, and deleting personal data at an individual’s request), protecting the entire lifecycle of data collection, use and storage.

These are all great ideas, but why now? The answer may lay in the growing number of companies that are collecting a raft of personal data on their customers, combined with the increasing use of Artificial Intelligence (AI) technologies to process that personal data for competitive advantage.

Many companies are sitting on large amounts of unstructured personal data. Server logs, website cookies, IP addresses, geographic locations, order histories, social network usage patterns, and a variety of other items of personal data are all easily collectable, but until recently were difficult to process in a systematic manner. In the last two years, however, the rise of machine learning, deep learning, and AI algorithms have made this data very valuable. Companies are now using it to generate valuable business insight and make strategic decisions. The new GDPR law will ensure that companies get explicit permission from individual EU residents before their data can be used.

The increasing value of this data has also made it more attractive to cybercriminals, increasing the frequency and severity of cyber-attacks. Ransomware gangsters extorted US$5 billion from victims this year, and are projected to collect at least US$10 billion in ransoms in 2018. The surging growth of ransomware and other malware attacks will put more personal data at risk. Preparing for GDPR will force companies to review their data protection procedures and take sufficient measures to ensure sufficient security and protection of personal data.

Overall, despite the rush to get ready and the fear of non-compliance, GDRP is expected to have a positive impact on the European market and global companies dealing with European customers.

With the right technology, getting ready for GDRP is easy. Acronis data protection solutions such as Acronis Backup 12.5 meets all the requirements for GDPR compliance. It protects all data workloads, actively defends data from ransomware, allows companies to control data storage locations, implement flexible data search and export capabilities, and get more serious about detecting, stopping, and reporting security breaches. To find out more, visit https://www.acronis.com. To learn more about GDPR, visit https://www.acronis.com/en-gb/articles/gdpr/