One of the switch engineers I worked with in the wireless telecommunications industry came out of the old AT&T landline company. While my entire career in wireless telecommunications was with digital switching, he originally worked with the electromechanical switches. The phone connection between Person A's voice would be physically connected by a crossbar to the ear of Person B.
At one time humans had to go around and collect the counts of the active circuits, a peg counter would increment and then be reset every 100 seconds. These numbers would be returned to a room full of secretaries. My switch engineer friend had a group of ten secretaries who reported to him. These secretaries would receive the counts and hand draw the charts which he then used to create his equipment utilization and traffic reports.
The enforcement date for the General Data Protection Regulations (GDPR) is May 25, 2018. These regulations shield the personal data and privacy within the 28 member countries in European Union and affect any U.S. company which "offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location."
The EU is setting a global standard for data protection, data quality, and ownership with the basis being that people own the data collected about them. Fines and penalties are stiff, but May 25th is not "like Y2K" where the clock strikes midnight and fines are sent out. It's an ongoing effort with the expectation that the rights for individuals be respected. These rights include:
This Forbes article by Yaki Faitelson, Co-Founder and CEO of Varonis, is a good clarifier on some of the ways U.S. based businesses will or won't be affected by GDPR. It also identifies several types of interactions with EU citizens which would be affected. These include: "Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply."
But like any other "Big Thing" service firms are popping up all over the place, including vendors selling "certification" and GDPR compliance consultancy. Privacy experts or privacy lawyers could be offering them, but it appears there's a rash of pop-ups. And "certification" isn't a thing yet - at least in the U.K. While this blog post is a year old, nothing appears to have changed. David Froud's blog is an entertaining and clarifying read, and as he says, GDPR is not "an IT problem" but a business one.
So, spend some time reading the GDPR website, look at how data subject consent is to become explicit and unambiguous.