Take a cue from Europe on making GDPR work

In the U.S. we’re all about the customer. How fast can I get that Amazon delivery to your door? How much better can I make that latte you buy every week? How many coupon enticements do I need to get you back to that online shopping cart? 

This customer-centric mentality rolls over to IT and security tasks. We think of security as providing services to the consumer. However, with GDPR compliance looming before organizations in the U.S. we need to broaden our way of thinking and look at how GDPR is perceived and executed in Europe, and why our customer mindset may not be the best approach to GDPR compliance.

‘CIA’ and GDPR: Can they peacefully co-exist?

In Europe, security is viewed as an extension of privacy. Delivery of services is not a primary goal of security, rather, security is enacted to assure privacy. The U.S., in contrast, is service-oriented security – that is, security provides services to the consumer. We in the U.S. use the ‘CIA’ approach to providing and protecting data –  Confidentiality, Integrity, Availability.

A quick lesson here on the roots of EU privacy-centricity. In the EU’s history, Communism and other socially oriented structures in Europe encouraged citizens and government agencies to invade privacy. A person could be punished for what they believed, thought, said or wrote about, even if those opinions were expressed in private.  The EU focus on privacy protection is a response to the privacy invasion of earlier times.

In the U.S., the emphasis on individual freedoms as a foundation of law has lowered the priority of privacy legislation. Even though violation of privacy may be just as prevalent in the United States as elsewhere, the enactment of privacy legislation lags behind privacy legislation in Europe.  Because of this lower priority of privacy legislation, taking a fresh look at privacy can be advantageous to U.S. organizations tackling GDPR compliance. 

First, GDPR requirements are not altogether new. U.S. organizations are being tasked with building on the privacy principles that EU has embraced in previous legislation. The difference is, now these principles have teeth in the form of fines up 20 million Euros, or up to 2-4% of a company’s total worldwide annual revenues.

Can U.S. organizations blend the U.S. privacy focus with their service-oriented approach? Short answer is yes, if they reset their thinking. Consider the GDPR principle related to data security. While U.S. workers like to think they can have access to any data they want, when they want it, on any device, GDPR basically says, not so fast. Under GDPR, an organization that is collecting and processing the data is now solely responsible for implementing the appropriate security measures that are proportionate to the rights of, and risk to the individual data subjects. Negligence is no longer an excuse, so organizations must invest adequate resources to protecting data. To get compliant, U.S. organizations need to evaluate how well they are notifying data subjects, enforcing security policies, utilizing security measures like dynamic access controls, verifying the identity of those accessing the data, protecting against malware/ransomware, and essentially doing a superb job of protecting against risk and data breaches.

Shifting the prism to privacy

To adopt a European mindset toward GDPR, shift the prism of your security focus to one of privacy.  Remember that protection of personal data and privacy is at the core of GDPR thinking. The GDPR emphasis on Privacy by Design, for example, helps overcome some U.S. company bias toward service-oriented security (‘CIA’ bias). It requires companies to implement privacy into corporate processes. You are graded on your process, not just the final product. 

The main goal of GDPR is to protect the personal data of EU citizens no matter where the processing of data takes place. One of the key areas is notification.  Broadly, it is allowable to hold data from European data subjects, as long as you are notifying them and have a valid business reason.  By adding proper notification and storing acceptance of this notification, you can avoid many of the pitfalls around GDPR.

Another key area is the data subject’s “right to be forgotten”.  This means that you need to have a process in place to remove/expunge private data of individuals that request removal, when you no longer need to hold their data.  Make sure you have processes that allow you to remove personal data, or that you can justify keeping that information because of business need.  An example is, if you are still billing a customer, you don’t have to “forget” about them until you’ve been paid.  Also remember that privacy rights extend to real persons only, not companies or other entities. 

GDPR, while painful in the short term, may have longer range positive effects, prompting all of us to look not only at the how of protecting data but the why of collecting a particular piece of data. It can inspire greater efficiency and no doubt, encourage us to take a closer look at how we’re protecting privacy-sensitive data.