With the continued focus on personal information and the privacy rights of individuals, the General Data Protection Regulation (GDPR) officially went into effect on May 25 and it will certainly have an international reach, affecting any organization that handles the personal data of European Union (EU) residents, regardless of where it is processed. The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organizations are struggling to come to terms with.
The GDPR redefines the scope of EU data protection legislation, forcing organizations worldwide to comply with its requirements. This most certainly includes U.S.-based organizations. The GDPR aims to establish the same data protection levels for all EU residents and will have a solid focus on how organizations handle personal data. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.
However, organizations will benefit from the uniformity introduced by the reform and may be able to bypass having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defense of mission-critical assets. At the Information Security Forum (ISF), we believe that the GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.
Understanding the Consequences of Non-Compliance
Most countries have established supervisory authorities to oversee the use of personal data. These supervisory authorities are government-appointed bodies that have powers to inspect, enforce and penalize the processing of personal data. In the U.S., a number of authorities enforce data protection requirements under the sectoral approach, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.
Supervisory authorities are granted investigatory powers by the GDPR, allowing them to investigate any complaint that they receive through a variety of measures such as audits and reviews of certifications and codes of conduct. Complaints may be received not only from the data subjects themselves but also from any organization or association that chooses to complain or has been chosen by a data subject to represent their interests. These complaints can be submitted to any supervisory authority, not just the supervisory authority with territorial responsibility.
If an organization is found to be overstepping the requirements of the GDPR, supervisory authorities have a variety of corrective powers from which to choose. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can compel an organization to process data in certain manners, or cease processing altogether, as well as force an organization to communicate data breaches to the affected data subjects.
Implications for U.S. Businesses
The official GDPR date and final (or last-minute) preparations for compliance came at the same time that public conversations about online privacy reached a fever pitch. Between the massive Equifax breach, a seemingly continuous string of customer data breaches at major retail and restaurant brands (not to mention healthcare and financial services), and the Facebook-Cambridge Analytica scandal, the American public is getting a crash course in the security and privacy weaknesses of online services, apps and networked systems. It may not happen immediately, but chances are that further regulation and more intense oversight mechanisms will be developed in response to these striking revelations, which have damaged public trust and corporate integrity.
Public sentiment is wary and shifting. Organizations that rely on personal data — and individual users’ consent and trust — have an opportunity to go above and beyond GDPR in order to assuage worried and wary customers and partners. Apple has offered an example, announcing recently that they will offer GDPR protections to all their customers, not just EU data subjects specifically protected under the law. These protections — including a new privacy policy, easier access to important privacy settings, access to personal data stores, and ability to permanently delete accounts — will be available first to EU subjects and rolled out to every Apple customer worldwide in the months following GDPR enforcement commencement.
In this critical moment in the era of digital transformation, there are many lessons to be learned. Leading organizations will take the time to review how they are handling privacy concerns and how they are communicating about privacy to their customer base, supply chain, and partner ecosystem. Forward-looking strategic planning should include: monitoring Congressional and state legislative activity, regulatory guidance, and thought leadership; fine-tuning and rehearsing incident response plans; and keeping up with privacy and security best practices with regards to people, process, and technology.
Last Minute Scrambles
As is always the case with major regulatory changes, there are some companies who didn’t start GDPR preparations early enough, found the necessary activities were broader in scope or more complex than initially assessed, or only recently realized their business operations fell under GDPR’s purview. Even with mere weeks to go, there were still important steps that companies scrambled to accomplish to show they were taking the regulations seriously and had begun compliance work in earnest. For U.S. companies that might still be enacting their action plans, here are some clear directives.
One of these initial steps is to show risk management readiness — a deliberate review of existing data privacy policies, processes, and plans. Get your team together, and be sure to include representatives from every business function that touches personal data — this is not just a job for the marketing department. Consult legal advisors, figure out which internal security and data experts to work with, and work to get C-suite backing to make preparations a priority. Review products and services for data privacy hot spots; you may need to include product development or engineering teams in GDPR activities, especially if a non-critical feature introduces an outsized risk that could lead to expensive consequences. With a solid plan, a thorough risk review, and a multi-faceted team in place, companies can show they are being diligent, even if they aren’t technically compliant yet.
The next big step for latecomers (and an important obligation for all entities) is to assess the extended ecosystem — third parties, vendors, and partners — for GDPR compliance, data risks, and required documentation. For most companies, cloud service providers and other technology vendors will play a significant role in getting compliant with many regulatory regimes including GDPR, HIPAA, PCI DSS, and more. If you can’t tell enforcement agencies that you know exactly what data passes through or is held by your cloud provider, and what they’re doing to protect it, you can’t possibly show that you’re taking a serious and diligent approach to compliance. Confining GDPR activities to the public-facing corporate website and other obvious customer interfaces will signal to regulators that an organization is under-prepared or has a poor understanding of its obligations.
In the case of organizations still scrambling to catch up, it is imperative to stay laser-focused on top priorities. Determining the core tasks, ensuring you have a cross-functional team, and securing C-suite support will make it easier to expedite the remaining steps and expedite compliance. Be sure to document all activities, especially third-party assessments, and have strategic workflows and procedures to ensure efficiency and accountability.
Adhering to an organization's game plan is crucial, and takes real work: data inventory, data flow analyses, and data audits. An organization that doesn’t fully understand how personal data is being used, processed, and stored cannot establish viable “legitimate interest” justifications or offer its customers transparency and full disclosure when it comes time to seek their consent.
Look Beyond Compliance
No organization that operates on a global footprint of suppliers can afford not to prepare for changes that will result from new GDPR compliance rules. Falling out of compliance with data regulation can really hit you in the pocket. The checklist of rules requires extreme preparation and responsibility all of which must be shouldered by the organizations who cannot look solely government or regulators for help.
The GDPR strengthens the requirements for protecting personal data. It affords individuals new and enhanced rights and freedoms and holds organizations responsible for enabling them. It promises to penalize organizations unable to uphold these rights and freedoms – a risk best managed by establishing an enterprise-wide GDPR compliance program.
Leading organizations are looking beyond compliance, by extending the breadth of GDPR compliance programs to leverage additional benefits. Examples include:
- Consolidating activities into broader information governance programs
- Embedding information security into the design of business applications and technical infrastructure
- Improving data protection and privacy practices
- Extending information security’s reach within the business
While every organization should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into a tangible business benefit. Leading organizations are structuring GDPR compliance programs to exploit these opportunities, mindful of their increased responsibilities to handle personal information appropriately and responsibly. Although the GDPR is upon us, it is not too late to join them – May 2018 was the start of the journey to ongoing protection of personal information, something that will be with us for some time to come.
About the Author: Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.