GDPR Will Impact Data Management In The USA

With Europe’s General Data Protection Regulation set to take effect on May 25, 2018, IT and data management leaders across the world, including those in the United States, should be preparing for the new requirements affecting organisations inside and outside of Europe.
 
You don’t have to have physical operations in Europe to be affected by the GDPR, and failure to prepare can have severe ramifications, including crippling fines.
 
Directives, Regulations, and Federalism
Data protection laws in Europe have had variances, as well. The difference between a directive and a regulation is important.
Under what is known commonly at the 1995 Directive, officially, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, European data protection law is somewhat like the federalism of US law.
 
In the US, one has 50 states, a federal district, and various territories making laws. At the same time, the EU—at least for the moment—has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). They make different laws that sometimes contradict each other. The 1995 Directive, which took effect in 1998, provides guidance, but Europeans sought a regulation that would harmonize European data protection laws.
 
Enter the General Data Protection Regulation (GDPR), which will become effective May 25, 2018. In this article, I’ll examine the rationale behind the new regulation, analyze the provisions of the GDPR, and let you know how you can prepare for next May.
 
Data Law Harmony in Europe
As an initial matter, I should note that—although many observers say simply the EU GDPR—the new regulation actually affects more than merely the EU.
 
First, the regulation itself is not merely for the 28 member states of the European Union. It is for the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. The GDPR is being integrated into the 1992 EEA Agreement.
 
Second, if you’re sitting in Des Moines, thinking, “I don’t care what the Europeans do, I’m in Iowa,” you probably should care because the GDPR affects not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals—regardless of the organization’s location. Yes, Des Moines, that means you, too.
 
At first glance, one would think the GDPR is good for cross-border business and for e-discovery with Europe. After all, with data protection laws and regulations harmonised among the 31 EEA nations, things should be easier, right? The problem is that some of the new provisions make European data protection law even more different from US law, a big challenge for international business and litigation.
 
What’s Changing?
To put the provisions of the GDPR in context, I should note the United States and Europe have very different views of data privacy. In the US, we tend to put greater value on free speech, and the right to evidence in litigation, than we do for data privacy. In fact, contrary to what many Americans think, there is no specific right to privacy in the US Constitution.
 
American courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. However, the original document is silent on the issue of privacy, and it wasn't until 1965 that the US Supreme Court articulated an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.
 
Contrast that with Europe. From the beginning of Europe to the tragic history of World War II, privacy has come to carry greater importance there. In fact, unlike in the US, privacy is a fundamental right in Europe under article 8 of the EU Charter of Fundamental Rights.
 
Controller v. Processor
When determining how the GDPR affects you, an initial consideration is whether you’re a data controller or merely a data processor. The difference is significant. Article 4 of the GDPR provides the following definitions:
A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
 
A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
 
GDPR article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organizational measures to ensure GDPR compliance. 
 
Processors do have certain limitations. For instance, GDPR article 28 provides that processors may not engage another data processor without permission of the data controller. Processors, too, must implement proper controls, and article 83 provides that GDPR fines apply to both controllers and processors.
 
Hefty Fines
One of the biggest data protection changes coming with the GDPR comes in the form of substantial fines. GDPR violations can result in fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater.
 
Consent
Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
 
Data Breach Notification
One of the more controversial provisions of the GDPR is that data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals. Critics worry the 72-hour notification is unrealistic at best and counterproductive at worst.
 
Right to Erasure
Known formerly as the “right to be forgotten,” these provisions were also controversial, giving data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.
 
Right to Access
The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.
 
Data Protection Officers
Another GDPR requirement is that companies appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, during negotiations on the GDPR, the number of organizations required to have a DPO was reduced substantially.
Although almost all public organizations will have to have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information will have to have them. Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.
 
Going Forward
Given these new requirements, how should you be preparing for the GDPR? I have a few tips:
 
• Obtain ISO 27001 Certification: Promulgated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the international standard for data security. ISO 27001 certification requires that an organization examine its information security threats and vulnerabilities, develop and implement security controls, and continue to monitor potential security threats. ISO 27001 certification won't ensure complete compliance with the GDPR, but it will go a long way.
• Hire a DPO or CISO: Hiring a data protection officer (DPO) is no longer a requirement for many companies under the GDPR. As I noted above, original drafts of the regulation required far more organizations to have a DPO, but just because the GDPR doesn't require you to have a DPO doesn't mean you shouldn't. Having a DPO or a chief information security officer (CISO) can help in achieving GDPR compliance and ISO 27001 certification.
• Hire a Consumer Data Ombudsman: Consumers have far greater rights vis-a-vis their data under the GDPR. Unless you want your DPO/CISO or other staffers bogged down with incessant customer data demands, create a role or department specifically for dealing with requests and complaints from data subjects.
• Use Consultants and the IAPP: Although the GDPR may be a wake-up call to many organizations, others have been monitoring and preparing for the GDPR during the years of negotiation. Consulting firms and organizations such as the International Association of Privacy Professionals (IAPP) can provide guidance, and the EU itself offers some insight.
• Build a Data Map: Under the GDPR, having a map of exactly what data you have and where that data reside is critical. If your data is flowing outside the EEA or the nations deemed to have adequate data protection standards, you need to know and take appropriate safeguards.
 
However, you prepare, time is of the essence. Next May will be here soon, and the EU will, in all likelihood, be making an example out of someone. Don’t let it be you.
 
Information-Management
 
You Might Also Read:
 
US Needs To Get Its Data Ready For GDPR:
 
What Does The UK’s Data Protection Bill Mean For Business?:
 
EU / US Privacy Shield Affects Your Organisation:
 
 
« 3D Mapping Can Locate Survivors In Burning Buildings
Startups Are Changing The Future Of Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

GTB Technologies

GTB Technologies

GTB Technologies is a cyber security company that focuses on providing enterprise class data protection and data loss prevention solutions.

Cyber Security For Critical Assets (CS4CA)

Cyber Security For Critical Assets (CS4CA)

Cyber Security For Critical Assets is a global series of summits focusing on cyber security for critical infrastructure.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

OEDIV SecuSys

OEDIV SecuSys

OEDIV SecuSys (formerly iSM Secu-Sys) develops high-quality IT software solutions, setting standards as a technology leader in the area of identity and access management.

Elliptic

Elliptic

Elliptic solve the crucial problem of identity in cryptocurrencies, with the sole purpose of combating suspicious and criminal activity.

NSO Group

NSO Group

NSO Group develops technology that enables government intelligence and law enforcement agencies to prevent and investigate terrorism and crime.

DMARC360

DMARC360

DMARC360 analyzes your email traffic patterns and sources, rapidly deploys email authentication protocols and monitors your email domains with automated recommendations and incident response.

Forever Group

Forever Group

Forever Group is a Managed Services Provider specialising in Telecommunications, IT Support, and Cyber Security.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Technivorus Technology

Technivorus Technology

Technivorus is a deep-tech firm delivering customized Cybersecurity, Digital Marketing, Web & App Development, and multifarious IT services for businesses across the globe.

CYMAR

CYMAR

CYMAR The “CYBER” Smart Solution to offer sustainability and bring resilience to Global SMART Terminals and protect the supply chain of the World’s economy.

AT&T Cybersecurity

AT&T Cybersecurity

AT&T Cybersecurity’s Edge-to-Edge technologies provide threat intelligence, collaborative defense, security without the seams, and solutions that fit your business.

Mobilen Communications

Mobilen Communications

Mobilen are dedicated to providing our customers with the highest level of secure data in transit and to bring privacy back to a mobile world.

Cybersecurity Agency of Catalonia - Spain

Cybersecurity Agency of Catalonia - Spain

Cybersecurity Agency of Catalonia is responsible for implementing public policies in the field of cybersecurity and developing the cybersecurity strategy of the Generalitat de Catalunya.

Southern Cyber

Southern Cyber

At Southern Cyber, our mission is to deliver world-class information security solutions that align businesses with leading security frameworks and compliance standards.