U.S. companies could get badly burned by GDPR – here’s how not to

The essence of the GDPR is individual privacy protection.  Europeans consider data privacy a basic human right.  If the founding fathers knew that snapchat was on its way, they might just have written it into the constitution. Something along the lines of “life, liberty, and the right to be able to erase those awkward pictures with Ben Franklin.”

As an American, you may be asking yourself, “Should my company worry about these laws?”  After reading the following, you should be able to answer this question with confidence.

Since most companies of any size are likely in compliance with some sort of regulation, whether it is PCI-DSS, NIST or HIPAA, among others, the good news is that the infrastructure and processes are in place and compliance with GDPR will not require a reinvention of the wheel.  Knowing how it’s different from the regulations your company is already complying with will help determine the gaps that exist between the two.  Two aspects of GDPR that differ from US regulations are the scope of the data covered and the rights that are granted to citizens. 

Scope

Firstly, it is important to mention the extraterritorial clause in GDPR which makes clear that a company’s geographical location has nothing to do with the jurisdiction of GDPR.  Whether a company is in Calgary or Calcutta, the rules still apply.

The scope of the data protected under GDPR is quite broad.  Generally, it covers any information that can help identify a person in any way.  The obvious categories such as SSN and DOB are covered, but so is GPS data, IP addresses, browser tokens, among others.  If your company collects or stores anything of this sort, it is going to be subject to GDPR sanctions.

Rights

As previously mentioned, data privacy is considered a human right for Europeans.  Under this umbrella are the rights of portability, erasure, and the right to object.  Portability concerns a company’s ability to produce the data when directed and to use it across multiple devices.  Erasure refers to the right to be forgotten; AKA the Ken Bone rule.  Finally, the right to object deals with consent (i.e. the 10 pages of EULA that everyone automatically accepts).

If your company’s systems could cross paths with a European’s data, compliance with GDPR should be a priority due to the size of the sanctions related to enforcement. 

Penalties

Each member state designates a data protection authority to enforce GDPR.  In the case of a data breach, or failure to comply with GDPR, companies can be fined up to 4% of annual global revenue, or €20 Million, whichever is more.  This fine is not necessarily levied only after a breach.  It could come from a failed audit.  There is a lower tier penalty for lesser infractions that caps out at 2% and €10 Million, which could come as a result of simply failing to produce appropriate records for the enforcement authority.

What is a breach and what actions are required?

One of the more drastic and controversial elements of GDPR is the requirement to report a breach within 72 hours of becoming aware of it.  A company must not only notify the authorities, but also the data subject (individual), depending on the degree of harm that could come of the breach.

This is one aspect of GDPR that some states in the US have already addressed, albeit in a patchwork fashion.  What’s more, it was addressed on the federal level by DFARS clause 252.204-7012, which contains a 72-hour reporting window.  However, this is for security incidents involving controlled unclassified information (CUI) in execution of government contracts, and alas, doesn’t include the location of your grandmother’s GPS enabled wheelchair.

Avoiding the burn

So how can your company avoid the existentially threatening fines of GDPR?  Develop a plan, either with your internal staff or with a third-party expert.

To find gaps and protect data, a full current state analysis of your systems should be conducted globally.  Privacy impact assessments and risk analysis should be conducted.  Current documentation such as system security plans, disaster recovery plans, incident response plans, etc. should be reviewed in light of this new context.

Find the data

Simply finding the relevant data seems like an innocuous task, but in reality, it’s as innocuous as smallpox.  Many companies do not understand the full data flow of their business, and how it affects the rest of their systems.  Many systems are segmented into silos based on business functions, such as marketing and sales.  One missed sales record of a European citizen could be cause for fines.

Track the data

Heads from all departments need to come together to determine what personal data their departments currently use, what will be needed in the future, and to discuss how that data affects business processes.  The business case needs to be made to executives that data protection is worth investing in and budgeting for.

Technical changes

There likely will need to be some changes to systems, and so change management meetings will need to be conducted.  GDPR addresses encryption and pseudonymization of data, so these capabilities will need to be added to systems in some cases.  Most importantly, data loss prevention (DLP) capabilities and data governance strategies must be included in any GDPR security plan.  

Personnel changes

GDPR explicitly requires a company to employ a data protection officer (DPO).  There are no specific requirements for this position, except that the DPO should have expert knowledge of laws and regulations addressing data privacy.

In the wake of the Equifax breach, GDPR does offer a light at the end of the tunnel.  Though it may be too late for many whose PIIs are already drifting through the dark web like leaves on a fall day, with GDPR in place, future generations may just be protected from the same fate.