GDPR's Impact In The US And Globally

GDPR enforcement began in May of 2018, but if you are doing business in the US or elsewhere, you may think that it doesn’t apply to your organisation, but that would be mistaken. GDPR affects organisations and businesses worldwide.
 
GDPR stands for the General Data Protection Regulation and over a year after it came into effect still almost 30% of EU businesses are not compliantWhat GDPR means is that citizens of the EU and EEA now have greater control over their personal data. And GDPR gives assurances that their information is being securely protected across Europe and the law explains that non-compliant businesses will be taken to court and heavily fined.
 
According to the GDPR directive, all personal data, that is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address must be secure and used legally.
 
There is no distinction between personal data about individuals in their private, public or work roles, the person is the person. Also in a B2B setting, everything is about individuals interacting and sharing information with and about each other. 
The GDPR is a relatively new data privacy law that has been added to a number of other compliance requirements.  These  other Laws include GDPR joins Sarbanes-Oxley (SOX), the Payment Card Industry (PCI) compliance, the Health Insurance Portability and Accountability Act (HIPAA), and the Family Educational Rights and Privacy Act (FERPA) as one more piece of the data and compliance puzzle that we have to solve. 
 
The GDPR itself was written and made law by the EU. This immediately raises the question, what does the GDPR have to do with the United States of America? 
 
There are short, medium, and long answers to this question, and you need all three. Since the application of the EU law is to people within the EU, it probably seems that it doesn’t have immediate application within the US. However, there are a couple of “buts” associated with that short answer. These “buts” constitute the medium and long answers.
 
What If Your Business Collects EU Data?
The law is clear and written in easy to understand language (unlike a lot of other laws). The application of the law is written in the first line of the first Article of the first Chapter: This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
 
What they’ve done is to define the law as applying only to “natural persons.” Why this particular term of art? Because they are intentionally creating a law that applies to human beings and not the legal construct of a person. In short, it eliminates the inclusion of corporations.
 
The next thing to define is, what data is included under the law. This is a little less clear.Look at Chapter 1, Article 3, we get the answer: This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
 
Processing and collection are different. If the data is collected within the EU, as opposed to say, when someone from the EU is visiting the US, and they submit information to a non-EU based org, then it’s applicable. However, processing the data after it has been collected, applies regardless of where the processing occurs.
They clarify and expand this further in the second part of Article 3:
 
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:  
  •  the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union.
When we take these together, we can say that the law applies to the collection of personal information from people currently residing within the EU. This makes it applicable to US entities. If your organization is collecting information from any people within the EU, then that information falls under all the regulations and laws of the GDPR.
 
Not only do we already have a GDPR-influenced law in effect, but not yet in enforcement  acroos the United States, but there are  several that are being actively brought forward. 
 
The California Privacy and Protection law (CPP)
 
The CPP was passed last year and took effect on January 1, 2020. Since the law was closely modeled on the GDPR, it mirrors a lot of the language. In California however , legislators have gone even further. They have passed the standard definitions within the GDPR of such things as the right to be forgotten, a requirement to opt-in for communication and data collection, the requirement that you publish how the data is being processed and have a mechanism for accessing the data you collect on an individual. They’ve also expanded what constitutes personal information and added things to the definitions that many of us who follow the GDPR expect to become standard: IP address, geolocation, browsing history, search history and more. You also have to provide a straight-up “opt-out” option to the data you collect and to any data you share with third parties. 
 
There is another piece of legislation being brought forward in California that will make the CPP even stronger, including allowing individuals to bring suit against companies that violate the CPP in addition to anything the state itself does.
 
There are at least 10 other states that are currently working on some version of a new privacy compliance law; all of them are modeled on the GDPR. The ones I’ve read about so far include: New York, Hawaii, New Jersey, Maryland, Massachusetts, New Mexico, Rhode Island, Mississippi, and North Dakota.
 
Other countries are now passing GDPR-style laws. If you deal with data from the following countries, you will need to understand how their GDPR-style compliance regime applies: Argentina, Brazil, China, Iceland, Malaysia, Switzerland and Uruguay.
 
The Benefits of GDPR
 
  • Consent Is Paramount: The good thing about GDPR is that it provides maximum importance to consumer consent. Companies cannot use long contracts to sneak in clauses which customers do not read. The companies are expected to get explicit consent about the type of data that they will collect as well as how they will process it. It does not matter whether the data processing happens within the European Union or not. As long as the data belongs to an EU citizen, the General Data Protection Regulation (GDPR) is applicable.
  •  Right to Be Forgotten: Another big achievement of the General Data Protection Regulation (GDPR) is that it provides consumers with the right to be forgotten. This means that even if we agree to share certain data today, we can change our minds later. For instance, if we agreed to share our credit card information with a company today, we can later ask them to delete our credit card information or our entire account. For the first time in the history of data protection laws, the right to be forgotten has been provided to consumers. Digital companies can no longer show backdated contracts signed by customers and hold them hostage.  If the customers want the data to be deleted now, this instruction supersedes the previous ones, and the digital companies are legally bound to delete all data that has been requested by the customer. 
 
Disadvantages of GDPR.
 
  • Has Caused Spam: The biggest problem with the GDPR is that it has caused spam on a massive scale. This is strange given the fact that the purpose of GDPR is to stop spam. Millions of e-mails have been triggered asking users whether they offer their consent for the use of data. Since several companies are sending these e-mails simultaneously, consumers are not able to differentiate the details. Many of them are just blindly clicking on “I agree.” This ends up defeating the whole purpose of the GDPR exercise.
  • Helps Bigger Companies: The GDPR increases a huge amount of complexity in online business. Every business needs to be compliant regardless of their turnover. Compliance is expensive for the small businesses. Larger businesses find it easier and cheaper to comply with these norms. This is the reason why Google and Facebook, which were supposed to be the most affected by the General Data Protection Regulation (GDPR) are actually the biggest beneficiaries. This regulation makes it difficult for smaller companies to compete with the larger ones.
  • Marketing Efforts Redesigned: E-mail marketing has become a lot more expensive and time-consuming. Data lists now have to be General Data Protection Regulation (GDPR) compliant. Also, the information collected on social media websites has to be stored, shared and used carefully. The entire process of digital marketing is likely to take a huge hit.
In summary, the GDPR has some pros and cons. However, the benefits largely accrue to the consumers and the big businesses. The small businesses are the ones who have to bear the cost of this increased regulation.
 
Conclusion
 
There’s no longer any valid reason left to argue that you don’t have to worry about the GDPR. One way or another, it is going to affect how you manage your data. It’s no longer an optional, “we’ll get around to it” issue either. With over 59,000 instances of breaches reported since May of 2018, a large number of those under investigation, and an equally large number of warnings and fines already levied, this is an immediate issue. 
 
The next step within your organisation is  to ensure that you are going through a risk assessment. The general outline of this is defined within the GDPR in Article 35.  If a data protection impact assessment has not yet been done within your organisation, start that now.  
 
Contact Cyber Security Intelligence for more  information about opportunities and security assessmnets  relating to your organisation.
 
Red-Gate:       SuperOffice:     TechRepublic:       Management Study Guide:      Consultancy.uk
 
You Might Also Read: 
 
On Trend: Business Data Protection Laws:
 
GDPR For Dummies
 
 
« The Human Effect On AI Security
Some Expert Predictions For Industrial Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Black Hat Briefings

Black Hat Briefings

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world.

Purdicom

Purdicom

Purdicom (formerly known as Selcoms) is an award winning distributor specialising in Wireless, Cloud & Security technologies.

Resilient Information Systems Security (RISS)

Resilient Information Systems Security (RISS)

RISS is a research group is in the Department of Computing at Imperial College London.

Avatier

Avatier

Avatier identity management software products automate identity access management, user provisioning and IT governance to ensure information security and compliance.

Netwrix

Netwrix

Netwrix empowers information security and governance professionals to identify and protect sensitive data to reduce the risk of a breach.

The Media Trust

The Media Trust

The Media Trust continuously scans websites, ad tags and mobile apps and alerts on anomalies affecting websites and visitors.

Cybersprint

Cybersprint

Cybersprint's Digital Risk Protection platform continuously monitors your digital footprint so you can make informed decisions on exposure to online threats, identify vulnerabilities and take action.

CYSEC NG

CYSEC NG

Cyber Security Challenge Nigeria Initiative (CYSEC NG) is the first, and largest offensive premier Cyber Conference and Hacking event in Africa.

IPQualityScore (IPQS)

IPQualityScore (IPQS)

IPQS anti-fraud tools provide a real-time fraud score to analyze how likely a user or visitor is to engage in fraudulent behavior.

Garner Products

Garner Products

Garner design, manufacture, and sell equipment that delivers complete, permanent, and verifiable data elimination.

TAC Security (TAC Infosec)

TAC Security (TAC Infosec)

TAC Security (aka TAC Infosec) is a leading and trusted cyber security consulting partner that specializes in securing the IT infrastructure and assets of enterprises.

InsightCyber

InsightCyber

InsightCyber is on a mission to keep the world’s critical infrastructure, supply chains, and manufacturing operations cyber-safe, helping to prevent attacks that can have catastrophic impacts.

DoQubiz Technology

DoQubiz Technology

DoQubiz is using the idea of security through obscurity to develop their proprietary Fractal Security Engine that implements a highly resilient data protection protocol.

Epoch Concepts

Epoch Concepts

Offering a full line of IT services, solutions, and integration capabilities, Epoch Concepts is the trusted partner of the US military, federal agencies, private enterprises, and systems integrators.

Quantum Ventura

Quantum Ventura

Quantum Ventura is a technology innovation company with a single mission of delivering customer-centric advanced solutions to US Federal & State Governments and Private Sector customers.

Cyberhill Partners

Cyberhill Partners

Cyberhill is a professional engineering services firm solving complex software implementation and integration challenges.