On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect to set a new standard for the protection of European individual’s rights over their personal identity data.
If you are in Technology or Security in the US, you are aware of GDPR, and, unless you have been living under a rock, you have assessed whether or not your organization needs to comply. Now, just because this regulation is new, that is to say, just because no one has gone to jail or received a hefty fine does not mean that regulators do not know what they are doing or are lax in their enforcement.
So, how has GDPR changed the world? This new regulation replaces the outdated 1995 EU data regulation, Directive 95/46/EC, which, while sound, was written before wide-scale adoption of the Internet. Simply put, the GDPR is a directive to place the control of a person’s information in the hands of the individual. It is specific to EU citizens and applies to all those classified as either ‘controllers’ or ‘processors’ of the personal information for EU citizens. This means, yes, the GDPR does apply to you if you are a US business, without a physical presence located in the EU, but you do offer goods/services to citizens of the EU.
One of the best sources for all things GDPR is the UK Information Commissioner’s Office (ICO). The rights afforded individuals under GDPR are comprehensive, such as the right to be erased, the right to restrict data processing, or to stop direct marketing. The US does not have a comparable directive, so you will need to involve your legal team to determine your need to comply. The bottom line is that the regulation is all about accountability, transparency, control and reporting.
What do you do if you’re not sure if your organization needs to comply? If you think you need to, it will take some time, so start immediately. You want to acknowledge your requirements and get a plan in place to move toward compliance. How do you do that? You can conduct a self-assessment with an ICO tool, which can be found here. The tool will walk you through and provide a score by topic area. If you missed the deadline, the most important thing you can do is act. Get your legal team together and go.
Also, put protection in place to limit your interaction with EU citizens. This can be simple and straightforward. I found an example in the form of the LA Times website.
I used a Virtual Private Network (VPN) to appear to be an Internet user coming to the LA Times website from London. When I arrived at the website, I was instructed that I would be unable to view the web content.
I cannot speak to the LA Times compliance plans for GDPR nor have I contacted them, but they have put measures in place to detect the IP address of viewers and filter those from the EU. Obviously, LA Times needs a more comprehensive solution so as not to miss a market of approximately 518 million people, but this is a great short-term solution in that it protects LA Times and EU citizens’ rights to control the potential collection and processing of their personal data.
So, what have the results been? The online news site DataBreachToday listed the UK privacy regulator as seeing a rise in breach reporting in June of 1,750 instances, up from just 400 reported in April. While this sounds high, a more than 400% rise in one month is an indication of compliance management. This is the EU; this is principles-based regulation which is focused on outcomes. Saying you do not comply, measuring, and monitoring your progress towards compliance are important. It means you are taking accountable steps to control and monitor how you don’t comply.
US organizations may not comply, but you need to know if you must and then start working toward it. You had two years to comply. Take the first step and the rest will follow.
Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.