Too much time on my hands
In April 2016, the European Union General Data Protection Regulation (GDPR) was approved by the EU Parliament “after four years of preparation and debate.” Compliance with the new law becomes mandatory on May 25, 2018, and given the complexities of adherence, companies are starting to scramble to put plans in place. While the law itself is an EU regulation, its impacts will be felt by any company that collects, stores, or uses data from or about EU citizens.
The GDPR replaces the Data Protection Directive, a 20+ year old rule guiding how organizations protect EU residents’ personal data. The new law was created to simplify and unify previously disparate data protection practices and policies across companies in the 28 member states[i], with the intent of safeguarding its residents from privacy violations and increasing numbers of data breaches.
It’s tickin’ away with my sanity
GDPR introduces three main enhancements over the 1995 Directive:
Increased territorial scope: In the past, who was processing or handling what data where could leave room for interpretation on necessary data protection measures. Under GDPR, the rules are very clear: Any company processing or handling personal data/personally identifiable information (PII) of data subjects (persons) residing in the EU must comply with GDPR or face steep penalties. Neither the company’s geographic location nor the geographic location of the companies’ servers is relevant; the regulation is tied to the data, which is tied to the individual. Once the law takes effect next May, arguments such as, “Our company headquarters is in California, but the data resides on a server in Ireland and the individual, who is a resident of Germany, was on holiday in Tokyo when he placed his internet order,” will no longer serve as a debatable argument in the courts. The data subject is an EU resident and therefore GDPR compliance is mandatory.
Penalties: Under the new law, companies can be fined up to €20 million or 4% of annual global turnover (whichever is greater) for non-compliance. A tiered approach to fines is based on the severity of the infraction. According to the GDPR informational website, the most serious infringements which trigger the highest fines include actions like failure to obtain “sufficient customer consent to process data or violating the core of Privacy by Design concept.” Other cited violations include “not notifying the supervising authority and data subject about a breach, or not conducting impact assessment.”
Consent: EU laws about gaining data subjects’ consent have long been stricter that those in the U.S. The Right to Access, Right to be Forgotten, and Privacy by Design have all been in place for EU residents for some time now (varying by regulation), but under GDPR, the aforementioned, along with several other rights for residents, are combined and strengthened, allowing EU residents to be more in control of their PII. Companies will no longer be permitted to use lengthy, convoluted terms and conditions to explain how data subjects’/individuals’ data will be used, handled, or processed. According to the website, companies have to request consent in “clear and plain language,” and “It must be as easy to withdraw consent as it is to give it.”
It’s hard to believe such a calamity
Though May 2018 might sound far in the future, the problems with data governance are well known throughout the security community, and organizations wishing to conduct business globally must start to shore up policies and practices now.
According to a new study published by Compuware, 68% of survey respondents agreed with the following statement: “Do you find that the complexity of modern IT services means you can’t always know exactly where all of your customer data resides?” Additionally, a full 81% of respondents “think using outsourcers makes it more difficult to identify where every instance of customer data is stored and how it is used,” and a full 63% responded that “mobile technology has made it more difficult to keep track of where…customer data is at all times.”
Further, most companies today consider the analysis and use of customer data a major competitive advantage. Any consumer-facing brand will gleefully tout its ability to understand customers and leverage that knowledge to provide “the best” products and services. In this respect, complicated legalese is beneficial to these organizations because the more customer data involved in the analysis, the more precise these organizations become in their targeting. GDPR curtails this capability; organizations interacting with any EU resident data will have to completely overhaul language around usage terms and conditions, making it clearer for everyone. And as a greater number of consumers become concerned about privacy, this clarity and simplicity is likely to result in less consent and thus less data that may be used by organizations for any advanced analysis or testing.
And it’s tickin’ away, tickin' away from me
Technologically speaking, identifying all instances of an individual’s or group of individuals’ PII is not unreasonably cumbersome or challenging, yet according to the Compuware study, only 51% of organizations feel confident that they have systems in place that enable them to accomplish this task quickly and efficiently. For larger organizations, a €20 million fine may simply be considered “the cost of doing business” if compliance can’t be met in the next 15 months. On the other hand, it’s these larger organizations that are either more likely to already have the capabilities and staff implemented to tackle these challenges, or the budget available to allocate to data protection and governance projects.
Though GDPR forces many organizations (especially those outside the EU) to add another project to “the list,” the upside is that organizations which follow through on compliance will be placing more emphasis on data protection and governance. For those organizations that consider consumer data their treasure trove, it’s true that the company could be handling less data in the future. On the other hand, those same types of organizations—retail and healthcare—have seen some of the most catastrophic breaches in history. Perhaps reinvigorated attention to data governance and privacy, alongside greater responsibility from data owners, will mitigate some of the devastating after-effects of organizations’ all-too-frequent breaches.
