GDPR Will Impact Data Management In The USA

With Europe’s General Data Protection Regulation set to take effect on May 25, 2018, IT and data management leaders across the world, including those in the United States, should be preparing for the new requirements affecting organisations inside and outside of Europe.
 
You don’t have to have physical operations in Europe to be affected by the GDPR, and failure to prepare can have severe ramifications, including crippling fines.
 
Directives, Regulations, and Federalism
Data protection laws in Europe have had variances, as well. The difference between a directive and a regulation is important.
Under what is known commonly at the 1995 Directive, officially, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, European data protection law is somewhat like the federalism of US law.
 
In the US, one has 50 states, a federal district, and various territories making laws. At the same time, the EU—at least for the moment—has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). They make different laws that sometimes contradict each other. The 1995 Directive, which took effect in 1998, provides guidance, but Europeans sought a regulation that would harmonize European data protection laws.
 
Enter the General Data Protection Regulation (GDPR), which will become effective May 25, 2018. In this article, I’ll examine the rationale behind the new regulation, analyze the provisions of the GDPR, and let you know how you can prepare for next May.
 
Data Law Harmony in Europe
As an initial matter, I should note that—although many observers say simply the EU GDPR—the new regulation actually affects more than merely the EU.
 
First, the regulation itself is not merely for the 28 member states of the European Union. It is for the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. The GDPR is being integrated into the 1992 EEA Agreement.
 
Second, if you’re sitting in Des Moines, thinking, “I don’t care what the Europeans do, I’m in Iowa,” you probably should care because the GDPR affects not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals—regardless of the organization’s location. Yes, Des Moines, that means you, too.
 
At first glance, one would think the GDPR is good for cross-border business and for e-discovery with Europe. After all, with data protection laws and regulations harmonised among the 31 EEA nations, things should be easier, right? The problem is that some of the new provisions make European data protection law even more different from US law, a big challenge for international business and litigation.
 
What’s Changing?
To put the provisions of the GDPR in context, I should note the United States and Europe have very different views of data privacy. In the US, we tend to put greater value on free speech, and the right to evidence in litigation, than we do for data privacy. In fact, contrary to what many Americans think, there is no specific right to privacy in the US Constitution.
 
American courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. However, the original document is silent on the issue of privacy, and it wasn't until 1965 that the US Supreme Court articulated an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.
 
Contrast that with Europe. From the beginning of Europe to the tragic history of World War II, privacy has come to carry greater importance there. In fact, unlike in the US, privacy is a fundamental right in Europe under article 8 of the EU Charter of Fundamental Rights.
 
Controller v. Processor
When determining how the GDPR affects you, an initial consideration is whether you’re a data controller or merely a data processor. The difference is significant. Article 4 of the GDPR provides the following definitions:
A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
 
A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
 
GDPR article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organizational measures to ensure GDPR compliance. 
 
Processors do have certain limitations. For instance, GDPR article 28 provides that processors may not engage another data processor without permission of the data controller. Processors, too, must implement proper controls, and article 83 provides that GDPR fines apply to both controllers and processors.
 
Hefty Fines
One of the biggest data protection changes coming with the GDPR comes in the form of substantial fines. GDPR violations can result in fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater.
 
Consent
Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
 
Data Breach Notification
One of the more controversial provisions of the GDPR is that data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals. Critics worry the 72-hour notification is unrealistic at best and counterproductive at worst.
 
Right to Erasure
Known formerly as the “right to be forgotten,” these provisions were also controversial, giving data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.
 
Right to Access
The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.
 
Data Protection Officers
Another GDPR requirement is that companies appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, during negotiations on the GDPR, the number of organizations required to have a DPO was reduced substantially.
Although almost all public organizations will have to have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information will have to have them. Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.
 
Going Forward
Given these new requirements, how should you be preparing for the GDPR? I have a few tips:
 
• Obtain ISO 27001 Certification: Promulgated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the international standard for data security. ISO 27001 certification requires that an organization examine its information security threats and vulnerabilities, develop and implement security controls, and continue to monitor potential security threats. ISO 27001 certification won't ensure complete compliance with the GDPR, but it will go a long way.
• Hire a DPO or CISO: Hiring a data protection officer (DPO) is no longer a requirement for many companies under the GDPR. As I noted above, original drafts of the regulation required far more organizations to have a DPO, but just because the GDPR doesn't require you to have a DPO doesn't mean you shouldn't. Having a DPO or a chief information security officer (CISO) can help in achieving GDPR compliance and ISO 27001 certification.
• Hire a Consumer Data Ombudsman: Consumers have far greater rights vis-a-vis their data under the GDPR. Unless you want your DPO/CISO or other staffers bogged down with incessant customer data demands, create a role or department specifically for dealing with requests and complaints from data subjects.
• Use Consultants and the IAPP: Although the GDPR may be a wake-up call to many organizations, others have been monitoring and preparing for the GDPR during the years of negotiation. Consulting firms and organizations such as the International Association of Privacy Professionals (IAPP) can provide guidance, and the EU itself offers some insight.
• Build a Data Map: Under the GDPR, having a map of exactly what data you have and where that data reside is critical. If your data is flowing outside the EEA or the nations deemed to have adequate data protection standards, you need to know and take appropriate safeguards.
 
However, you prepare, time is of the essence. Next May will be here soon, and the EU will, in all likelihood, be making an example out of someone. Don’t let it be you.
 
Information-Management
 
You Might Also Read:
 
US Needs To Get Its Data Ready For GDPR:
 
What Does The UK’s Data Protection Bill Mean For Business?:
 
EU / US Privacy Shield Affects Your Organisation:
 
 
« 3D Mapping Can Locate Survivors In Burning Buildings
Startups Are Changing The Future Of Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Advent IM

Advent IM

Advent IM is one of the UK’s leading independent cyber security specialists, with a unique approach to providing holistic security management solutions.

NCX Group

NCX Group

NCX Group is committed to helping customers identify and mitigate the risks inherent in today’s interconnected environments and business processes.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

Thermo Systems

Thermo Systems

Thermo Systems is a design-build control systems engineering and construction firm. Capabilties include industrial control system cybersecurity.

Electric Imp

Electric Imp

Electric Imp offers an innovative and powerful Internet of Things platform that securely connects devices with advanced cloud computing resources.

CalCom

CalCom

CalCom Hardening Solution (CHS) for Microsoft OMS is a security baseline-hardening solution designed to address the needs of IT operations and security teams.

totemo

totemo

Totemo offers solutions for the secure exchange of business information.

DeuZert

DeuZert

DeuZert is an accredited German certification body in accordance with ISO/IEC 27001 (Information Security Management).

Accredia

Accredia

Accredia is the national accreditation body for Italy. The directory of members provides details of organisations offering certification services for ISO 27001.

Ntirety

Ntirety

Ntirety Managed Security Services offer enterprise businesses the advanced tools, processes, and support to ensure your infrastructure, networks, and mission-critical applications are secure.

Data Destruction London

Data Destruction London

Data Destruction London offers fast, confidential and compliant expert data destruction services to businesses and organisations in London.

Kratos Defense & Security Solutions

Kratos Defense & Security Solutions

The Kratos Space, Training, and Cybersecurity division addresses key cybersecurity challenges, including cloud security, continuous monitoring, IT security, and risk management.

JanBask Training

JanBask Training

JanBask Training is a dynamic, highly professional, global online training provider committed to propelling the next generation of technology learners with a whole new way of training experience.

Qi An Xin (QAX)

Qi An Xin (QAX)

QAX is a listed company based in China, and a leader in cybersecurity industry, providing new generation enterprise-level and national-level cybersecurity solutions.

Lightpath

Lightpath

Lightpath is revolutionizing how organizations connect to their digital destinations by combining our next-generation network with our next-generation customer service.

Smartcomply

Smartcomply

Smartcomply is an automated and AI-powered cybersecurity and compliance platform that aids businesses in reducing the time and money spent on cybersecurity and compliance.