GDPR compliance is not a customer-service proposition. To better understand GDPR, U.S. companies should adopt a European mindset. Credit: Thinkstock In the U.S. we’re all about the customer. How fast can I get that Amazon delivery to your door? How much better can I make that latte you buy every week? How many coupon enticements do I need to get you back to that online shopping cart? This customer-centric mentality rolls over to IT and security tasks. We think of security as providing services to the consumer. However, with GDPR compliance looming before organizations in the U.S. we need to broaden our way of thinking and look at how GDPR is perceived and executed in Europe, and why our customer mindset may not be the best approach to GDPR compliance.‘CIA’ and GDPR: Can they peacefully co-exist?In Europe, security is viewed as an extension of privacy. Delivery of services is not a primary goal of security, rather, security is enacted to assure privacy. The U.S., in contrast, is service-oriented security – that is, security provides services to the consumer. We in the U.S. use the ‘CIA’ approach to providing and protecting data – Confidentiality, Integrity, Availability.A quick lesson here on the roots of EU privacy-centricity. In the EU’s history, Communism and other socially oriented structures in Europe encouraged citizens and government agencies to invade privacy. A person could be punished for what they believed, thought, said or wrote about, even if those opinions were expressed in private. The EU focus on privacy protection is a response to the privacy invasion of earlier times. In the U.S., the emphasis on individual freedoms as a foundation of law has lowered the priority of privacy legislation. Even though violation of privacy may be just as prevalent in the United States as elsewhere, the enactment of privacy legislation lags behind privacy legislation in Europe. Because of this lower priority of privacy legislation, taking a fresh look at privacy can be advantageous to U.S. organizations tackling GDPR compliance. First, GDPR requirements are not altogether new. U.S. organizations are being tasked with building on the privacy principles that EU has embraced in previous legislation. The difference is, now these principles have teeth in the form of fines up 20 million Euros, or up to 2-4% of a company’s total worldwide annual revenues. Can U.S. organizations blend the U.S. privacy focus with their service-oriented approach? Short answer is yes, if they reset their thinking. Consider the GDPR principle related to data security. While U.S. workers like to think they can have access to any data they want, when they want it, on any device, GDPR basically says, not so fast. Under GDPR, an organization that is collecting and processing the data is now solely responsible for implementing the appropriate security measures that are proportionate to the rights of, and risk to the individual data subjects. Negligence is no longer an excuse, so organizations must invest adequate resources to protecting data. To get compliant, U.S. organizations need to evaluate how well they are notifying data subjects, enforcing security policies, utilizing security measures like dynamic access controls, verifying the identity of those accessing the data, protecting against malware/ransomware, and essentially doing a superb job of protecting against risk and data breaches.Shifting the prism to privacyTo adopt a European mindset toward GDPR, shift the prism of your security focus to one of privacy. Remember that protection of personal data and privacy is at the core of GDPR thinking. The GDPR emphasis on Privacy by Design, for example, helps overcome some U.S. company bias toward service-oriented security (‘CIA’ bias). It requires companies to implement privacy into corporate processes. You are graded on your process, not just the final product. The main goal of GDPR is to protect the personal data of EU citizens no matter where the processing of data takes place. One of the key areas is notification. Broadly, it is allowable to hold data from European data subjects, as long as you are notifying them and have a valid business reason. By adding proper notification and storing acceptance of this notification, you can avoid many of the pitfalls around GDPR.Another key area is the data subject’s “right to be forgotten”. This means that you need to have a process in place to remove/expunge private data of individuals that request removal, when you no longer need to hold their data. Make sure you have processes that allow you to remove personal data, or that you can justify keeping that information because of business need. An example is, if you are still billing a customer, you don’t have to “forget” about them until you’ve been paid. Also remember that privacy rights extend to real persons only, not companies or other entities. GDPR, while painful in the short term, may have longer range positive effects, prompting all of us to look not only at the how of protecting data but the why of collecting a particular piece of data. It can inspire greater efficiency and no doubt, encourage us to take a closer look at how we’re protecting privacy-sensitive data. Related content opinion IT service management: security’s best friend Your IT service management (ITSM) teams can serve up good security practices with your help. By Phil Richards Jul 11, 2018 6 mins IT Strategy IT Leadership Security opinion GDPR is live! – Now what? GDPR rules are a hot mess. Get clarity by further identifying all your GDPR weak spots. By Phil Richards Jun 08, 2018 5 mins Regulation Government Technology Industry opinion Nation state attacks – the cyber cold war gets down to business Cyber weaponry is moving to new frontiers: yours. Businesses are the next target on the nation state menu. Are you protected or vulnerable? By Phil Richards Apr 19, 2018 5 mins Cyberattacks Government Technology Industry opinion Getting to know your company’s risk appetite Your employees make risk/reward decisions daily. Have you defined risk boundaries for them? Unwanted risk or missed opportunities happen without clear direction. By Phil Richards Mar 16, 2018 5 mins Technology Industry Data and Information Security Privacy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe