Don't make the mistake of thinking the GDPR regulation only affects our friends and neighbors overseas. There may be real implications here at home. Credit: Thinkstock Now that Europe’s General Data Protection Regulation (GDPR) has taken effect, companies across the globe that do not comply with GDPR could find themselves in regulatory and financial hot water.And while vendors selling security solutions to the private sector overseas will clearly be affected, it’s also likely that GDPR may spur security spending in federal agencies here at home.The GDPR regulation requires businesses to protect the personal data and privacy of EU residents for transactions that occur within EU member states. Companies must be able to demonstrate compliance, and non-compliance could cost them dearly. Any company that would potentially host EU resident’s data could be liable for substantial fines if that data is leaked.The nuts and bolts of GDPRFor background, here are some of the mandatory requirements that fall under the GDPR regulation: Organizations will have to update policies and processes to reflect GDPR requirements, such as how organizations obtain and use consent and also how they store information.Data Protection Impact Assessments (DPIA) will need to be conducted, to design data privacy into any new systems and processes. These assessments are particularly important for any new technologies that use large-scale processing of special data categories, or any profiling that may affect individuals. Some organizations will be required to have a Data Protection Officer (DPO) to enforce these mandatory processes mentioned above.Importantly, however, while individuals must be able to opt-in to having data shared, this consent may not always be required – for example in cases where data analysis is deemed in the public interest. DPOs and other applicable senior management individuals will need to carefully consider whether this qualification applies to their organizations.While, in general, data should be deleted when the purpose for collecting it is over, public sector organizations can retain the information if there is a “public interest rationale” for keeping it. This is true even though GDPR regulations also stipulate that individuals can, upon request, be given all their information if they want to move it or receive a report on how their information is used. After a request to release the data has been filed, organizations are required to formally explain to individuals why the information may need to be retained.Importantly, a company to whom GDPR applies (no matter where it is in the world) who doesn’t comply with the GDPR and suffers a breach of EU resident’s data can be penalized up to 4% of their total revenue or 20 million euros, whichever is greater!How the US fits inGDPR seems to be a common-sense approach to making sure that individuals keep the right to have their information used as they deem fit – and the right to be “forgotten,” or to have personal data eliminated if they don’t want it lingering forever in the ether. It’s important to remember, however, that this common sense doesn’t begin and end across the Atlantic. Both the U.S. federal government and vendors selling security solutions to the government have a stake in all this.For example, GDPR raises the bar on security across the board. Companies will adopt more stringent privacy regimes, and vendors will sell more capable tools. Better security overall means better protection of sensitive information hosted in government clouds, and you will soon see vendors producing solutions that undoubtedly will be marketed as “GDPR compliant for your business.” More importantly, the EU regulation underscores the importance of the US Defense Federal Acquisition Regulation Supplement (DFARS), which required all government contractors to establish a program to protect Controlled Unclassified Information (CUI). All federal contractors were required to meet DFARS minimum security standards by December 31, 2017 or risk losing their DoD contracts. With the added scrutiny placed on data by GDPR, we could see DFARS or new regulations taking stronger hold in the US, adding fines or even more stringent requirements on any commercial cloud companies hosting personally identifiable information for the government.In fact, a number of federal agencies already have some increasing responsibility for managing data relevant to GDPR.The Department of State, for example, traditionally handles and resolves complaints from EU citizens concerning U.S. national security access to data transmitted from the EU. The Department is empowered to oversee all complaints concerning American national security access to commercial data transfers from the EU to the US.The Department of Transportation is responsible for the investigation, monitoring and enforcement of US airlines that capture EU GDPR data. The Federal Trade Commission and the Department of Commerce, similarly, monitor companies that transact with and host EU citizens. And that’s just the beginning. Intel agencies could pour resources into being more selective in their collection efforts, and the Justice Department might even become involved if EU citizens are somehow brought into investigations.The upshot here is, let’s not shrug off the GDPR regulation as being solely in the realm of our friends and neighbors overseas. There may be real implications here at home. Heightened security responsibilities among government agencies, pushed by GDPR, are likely to spur growth in the security industry for tools that can address those responsibilities and ensure regulatory compliance at home and abroad. Related content opinion 5 factors affected by disbanding the Defense Information Systems Agency Government needs to make tough budgeting decisions, and closing agencies is up for debate. But cutting the Defense Information Systems Agency (DISA) could have a potential impact on national security. By Lloyd McCoy Sep 12, 2018 5 mins Cyberattacks Security opinion Stop playing “whack-a-mole” with your security Google does it, so can you. Stop dealing with IT security problems when they happen; start addressing the root cause. By Lloyd McCoy Aug 28, 2018 5 mins Technology Industry Cloud Security Data and Information Security opinion AI Wars: relax, it’s not the end of the world The profound implications of AI and machine learning on security are not lost on governments. By Lloyd McCoy Aug 20, 2018 5 mins Machine Learning Security opinion How agencies learned to stop worrying and love the blockchain A little uncertainty is a small price to pay for the promise of better security. By Lloyd McCoy Jun 21, 2018 4 mins Government IT Government Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe