The GDPR initiative and how it affects US government and industry

Now that Europe’s General Data Protection Regulation (GDPR) has taken effect, companies across the globe that do not comply with GDPR could find themselves in regulatory and financial hot water.

And while vendors selling security solutions to the private sector overseas will clearly be affected, it’s also likely that GDPR may spur security spending in federal agencies here at home.

The GDPR regulation requires businesses to protect the personal data and privacy of EU residents for transactions that occur within EU member states. Companies must be able to demonstrate compliance, and non-compliance could cost them dearly. Any company that would potentially host EU resident’s data could be liable for substantial fines if that data is leaked.

The nuts and bolts of GDPR

For background, here are some of the mandatory requirements that fall under the GDPR regulation:

Organizations will have to update policies and processes to reflect GDPR requirements, such as how organizations obtain and use consent and also how they store information.

Data Protection Impact Assessments (DPIA) will need to be conducted, to design data privacy into any new systems and processes. These assessments are particularly important for any new technologies that use large-scale processing of special data categories, or any profiling that may affect individuals.

Some organizations will be required to have a Data Protection Officer (DPO) to enforce these mandatory processes mentioned above.

Importantly, however, while individuals must be able to opt-in to having data shared, this consent may not always be required – for example in cases where data analysis is deemed in the public interest. DPOs and other applicable senior management individuals will need to carefully consider whether this qualification applies to their organizations.

While, in general, data should be deleted when the purpose for collecting it is over, public sector organizations can retain the information if there is a “public interest rationale” for keeping it. This is true even though GDPR regulations also stipulate that individuals can, upon request, be given all their information if they want to move it or receive a report on how their information is used. After a request to release the data has been filed, organizations are required to formally explain to individuals why the information may need to be retained.

Importantly, a company to whom GDPR applies (no matter where it is in the world) who doesn’t comply with the GDPR and suffers a breach of EU resident’s data can be penalized up to 4% of their total revenue or 20 million euros, whichever is greater!

How the US fits in

GDPR seems to be a common-sense approach to making sure that individuals keep the right to have their information used as they deem fit – and the right to be “forgotten,” or to have personal data eliminated if they don’t want it lingering forever in the ether. It’s important to remember, however, that this common sense doesn’t begin and end across the Atlantic.  Both the U.S. federal government and vendors selling security solutions to the government have a stake in all this.

For example, GDPR raises the bar on security across the board. Companies will adopt more stringent privacy regimes, and vendors will sell more capable tools. Better security overall means better protection of sensitive information hosted in government clouds, and you will soon see vendors producing solutions that undoubtedly will be marketed as “GDPR compliant for your business.”

More importantly, the EU regulation underscores the importance of the US Defense Federal Acquisition Regulation Supplement (DFARS), which required all government contractors to establish a program to protect Controlled Unclassified Information (CUI). All federal contractors were required to meet DFARS minimum security standards by December 31, 2017 or risk losing their DoD contracts. With the added scrutiny placed on data by GDPR, we could see DFARS or new regulations taking stronger hold in the US, adding fines or even more stringent requirements on any commercial cloud companies hosting personally identifiable information for the government.

In fact, a number of federal agencies already have some increasing responsibility for managing data relevant to GDPR.

The Department of State, for example, traditionally handles and resolves complaints from EU citizens concerning U.S. national security access to data transmitted from the EU. The Department is empowered to oversee all complaints concerning American national security access to commercial data transfers from the EU to the US.

The Department of Transportation is responsible for the investigation, monitoring and enforcement of US airlines that capture EU GDPR data. The Federal Trade Commission and the Department of Commerce, similarly, monitor companies that transact with and host EU citizens.

And that’s just the beginning. Intel agencies could pour resources into being more selective in their collection efforts, and the Justice Department might even become involved if EU citizens are somehow brought into investigations.

The upshot here is, let’s not shrug off the GDPR regulation as being solely in the realm of our friends and neighbors overseas. There may be real implications here at home. Heightened security responsibilities among government agencies, pushed by GDPR, are likely to spur growth in the security industry for tools that can address those responsibilities and ensure regulatory compliance at home and abroad.