GDPR Will Impact Data Management In The USA

With Europe’s General Data Protection Regulation set to take effect on May 25, 2018, IT and data management leaders across the world, including those in the United States, should be preparing for the new requirements affecting organisations inside and outside of Europe.
 
You don’t have to have physical operations in Europe to be affected by the GDPR, and failure to prepare can have severe ramifications, including crippling fines.
 
Directives, Regulations, and Federalism
Data protection laws in Europe have had variances, as well. The difference between a directive and a regulation is important.
Under what is known commonly at the 1995 Directive, officially, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, European data protection law is somewhat like the federalism of US law.
 
In the US, one has 50 states, a federal district, and various territories making laws. At the same time, the EU—at least for the moment—has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). They make different laws that sometimes contradict each other. The 1995 Directive, which took effect in 1998, provides guidance, but Europeans sought a regulation that would harmonize European data protection laws.
 
Enter the General Data Protection Regulation (GDPR), which will become effective May 25, 2018. In this article, I’ll examine the rationale behind the new regulation, analyze the provisions of the GDPR, and let you know how you can prepare for next May.
 
Data Law Harmony in Europe
As an initial matter, I should note that—although many observers say simply the EU GDPR—the new regulation actually affects more than merely the EU.
 
First, the regulation itself is not merely for the 28 member states of the European Union. It is for the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. The GDPR is being integrated into the 1992 EEA Agreement.
 
Second, if you’re sitting in Des Moines, thinking, “I don’t care what the Europeans do, I’m in Iowa,” you probably should care because the GDPR affects not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals—regardless of the organization’s location. Yes, Des Moines, that means you, too.
 
At first glance, one would think the GDPR is good for cross-border business and for e-discovery with Europe. After all, with data protection laws and regulations harmonised among the 31 EEA nations, things should be easier, right? The problem is that some of the new provisions make European data protection law even more different from US law, a big challenge for international business and litigation.
 
What’s Changing?
To put the provisions of the GDPR in context, I should note the United States and Europe have very different views of data privacy. In the US, we tend to put greater value on free speech, and the right to evidence in litigation, than we do for data privacy. In fact, contrary to what many Americans think, there is no specific right to privacy in the US Constitution.
 
American courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. However, the original document is silent on the issue of privacy, and it wasn't until 1965 that the US Supreme Court articulated an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.
 
Contrast that with Europe. From the beginning of Europe to the tragic history of World War II, privacy has come to carry greater importance there. In fact, unlike in the US, privacy is a fundamental right in Europe under article 8 of the EU Charter of Fundamental Rights.
 
Controller v. Processor
When determining how the GDPR affects you, an initial consideration is whether you’re a data controller or merely a data processor. The difference is significant. Article 4 of the GDPR provides the following definitions:
A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
 
A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
 
GDPR article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organizational measures to ensure GDPR compliance. 
 
Processors do have certain limitations. For instance, GDPR article 28 provides that processors may not engage another data processor without permission of the data controller. Processors, too, must implement proper controls, and article 83 provides that GDPR fines apply to both controllers and processors.
 
Hefty Fines
One of the biggest data protection changes coming with the GDPR comes in the form of substantial fines. GDPR violations can result in fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater.
 
Consent
Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
 
Data Breach Notification
One of the more controversial provisions of the GDPR is that data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals. Critics worry the 72-hour notification is unrealistic at best and counterproductive at worst.
 
Right to Erasure
Known formerly as the “right to be forgotten,” these provisions were also controversial, giving data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.
 
Right to Access
The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.
 
Data Protection Officers
Another GDPR requirement is that companies appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, during negotiations on the GDPR, the number of organizations required to have a DPO was reduced substantially.
Although almost all public organizations will have to have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information will have to have them. Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.
 
Going Forward
Given these new requirements, how should you be preparing for the GDPR? I have a few tips:
 
• Obtain ISO 27001 Certification: Promulgated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the international standard for data security. ISO 27001 certification requires that an organization examine its information security threats and vulnerabilities, develop and implement security controls, and continue to monitor potential security threats. ISO 27001 certification won't ensure complete compliance with the GDPR, but it will go a long way.
• Hire a DPO or CISO: Hiring a data protection officer (DPO) is no longer a requirement for many companies under the GDPR. As I noted above, original drafts of the regulation required far more organizations to have a DPO, but just because the GDPR doesn't require you to have a DPO doesn't mean you shouldn't. Having a DPO or a chief information security officer (CISO) can help in achieving GDPR compliance and ISO 27001 certification.
• Hire a Consumer Data Ombudsman: Consumers have far greater rights vis-a-vis their data under the GDPR. Unless you want your DPO/CISO or other staffers bogged down with incessant customer data demands, create a role or department specifically for dealing with requests and complaints from data subjects.
• Use Consultants and the IAPP: Although the GDPR may be a wake-up call to many organizations, others have been monitoring and preparing for the GDPR during the years of negotiation. Consulting firms and organizations such as the International Association of Privacy Professionals (IAPP) can provide guidance, and the EU itself offers some insight.
• Build a Data Map: Under the GDPR, having a map of exactly what data you have and where that data reside is critical. If your data is flowing outside the EEA or the nations deemed to have adequate data protection standards, you need to know and take appropriate safeguards.
 
However, you prepare, time is of the essence. Next May will be here soon, and the EU will, in all likelihood, be making an example out of someone. Don’t let it be you.
 
Information-Management
 
You Might Also Read:
 
US Needs To Get Its Data Ready For GDPR:
 
What Does The UK’s Data Protection Bill Mean For Business?:
 
EU / US Privacy Shield Affects Your Organisation:
 
 
« 3D Mapping Can Locate Survivors In Burning Buildings
Startups Are Changing The Future Of Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Wall Street Technology Association (WSTA)

Wall Street Technology Association (WSTA)

The Wall Street Technology Association (WSTA) provides financial industry technology professionals with forums to learn from and connect with each other.

F5 Networks

F5 Networks

F5 products ensure that network applications are always secure and perform the way they should—anywhere, any time, and on any device.

IGEL Technology

IGEL Technology

IGEL Technology is one of the world's leading thin client vendors. Thin clients increase data security and compliance.

Teradata

Teradata

Teradata is a leading provider of enterprise big data analytics and services. Applications include Cyber Security Analytics.

TWNCERT

TWNCERT

TWNCERT is the National Computer Emergency Response Team of Taiwan.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

Cyber Senate

Cyber Senate

Cyber Senate is dedicated to bringing Operators of Essential Services together with global subject matter experts to address the challenges of evolving cyber threats to critical infrastructure.

Nexthink

Nexthink

Using our solution, hundreds of IT departments effectively balance offering a productive and enjoyable end-user experience with making the right decisions to secure and transform the digital workplace

LEPL Cyber ​​Security Bureau - Georgia

LEPL Cyber ​​Security Bureau - Georgia

The aim of the LEPL Cyber Security Bureau is to create and strengthen stable, efficient and secure systems of information and communications technologies.

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator invests in early stage disruptive companies in the security industry including, Cybersecurity, Internet of Things (IOT), Blockchain and AI.

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum is a catalyst platform designed to create a more resilient and better cyberworld for all.

e-Careers

e-Careers

e-Careers is an edtech institution that provides industry recognised courses and up-skilling solutions to individuals and organisations.

Edgile

Edgile

Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content.

ST Engineering Antycip

ST Engineering Antycip

ST Engineering Antycip (formerly Antycip Simulation) is Europe’s leading provider of professional grade COTS simulation software, projection & display systems, and related engineering services.

Locuz

Locuz

At Locuz, we’ve made it our mission to help businesses like yours create an actionable digital strategy.

SecAI

SecAI

SecAI is an innovative threat intelligence-driven, and AI-powered vendor aiming at cyber threat detection and response.