The General Data Protection Regulation (GDPR) will be the global law of the land starting on May 25, 2018. The GDPR requires any company that does business with European Union (EU)-based residents to maintain strict data protection protocols. The standard will be the most sweeping information security regulation impacting global businesses. In essence, the GDPR requires organizations to keep accurate and up-to-date records that are continually monitored and in compliance with GDPR standards.
The processes for collecting data must be relevant to how the data will be used by the company (for example, consumer shopping data but not medical history data for e-commerce companies). Companies should be willing and able to explain exactly what data has been collected and why. Security practices must demonstrate a clear ability to safeguard against loss, damage, and destruction, and data should not be held longer than is necessary. Any company failing to comply with the regulation will be subject to a 4 percent forfeiture of its annual revenues.
“This is not a toothless set of rules and regulations,” said Ankur Laroia, Strategic Solutions Leader at information management system provider Alfresco. Laroia makes that case that several issues within the regulation’s bylaws will make it difficult for companies to remain compliant. For example, a few issues include abstractly written rules for why data is being collected, overreaching requirements for scrubbing customer data when requested, and the need for some companies to totally revamp security procedures solely for the purpose of ensuring compliance. Still, Laroia doesn’t think the EU is messing around. “The EU is going to go after offenders. Had this been enacted, Equifax would have gotten into a lot of trouble.”
GDPR, while focusing primarily on EU citizens, also presents a nightmare scenario for American business owners. In this article, we’ll break down what Americans need to know to begin the journey toward GDPR compliance.
1. American Companies Will Need to Comply
If your mom-and-pop bookstore has never shipped a package outside of your home city, then you probably won’t need to concern yourself with the GDPR. However, if you have even one EU-based customer, then you’ll need to begin the process of becoming GDPR-compliant immediately. Under the bylaws, EU citizen data must be protected and you must provide the citizen with said data if he or she requests it. More importantly, you may be required to purge that data from your systems if and when the citizen makes the request. If you don’t and the GDPR watchdog finds out, then you’ll stand to lose 4 percent of your annual revenue.
“Although it’s an EU directive, it impacts any company around the world that has EU residents as customers,” said Pete Lindstrom, Vice President of Security Research at IDC. “If you have address fields and they’re [filled in with] a European address, they’ll likely be considered European.”
There’s no distinction between a company headquartered in the EU or in a city such as Skokie, Illinois. The law instead focuses on personally identifiable information (PII) and where the person associated with the data resides. Anybody that has any kind of PII data on a European customer will have to comply.
Even if your company has a few EU-based customers, it’s highly unlikely your local bookstore will be audited by GDPR watchdogs. But large companies, such as Facebook and Yahoo, won’t be able to claim American allegiance as a way to skirt the GDPR.
“If you’re a mom-and-pop [shop] and you have a breach, you’re legally liable,” said Laroia. “It’s hard to say if they’ll realistically come after you…each EU member state will have an office of compliance. That office will start to ask for everybody’s compliance scheme. They’ll create an inventory of companies doing business in their geographies. They’re going to spot check the bigger guys and start to ask questions.”
American companies that don’t comply shouldn’t expect the US government to shield them when the GDPR-backed EU states attempt to collect that forfeited revenue. “The US government is compelled to make sure those judgements are enforced,” said Laroia. “Whether they are enforced is yet to be seen, but the government in the EU will have to fight [and the US will have to comply].”
2. May 25 Means May 25
Although the regulation will go into effect in May 2018, the law was ratified by the EU Parliament on April 14, 2016. This means companies should already be putting GDPR-compliant practices into place. So, if your company is hit by a massive cyberattack on May 26, 2018, then you can’t claim “insufficient time” as an excuse for divulging EU citizen data.
“The statutes went into effect last year,” said Laroia. “You can be asked to show your journey into compliance already. Have you inventoried? What’s your protocol for an EU citizen to ask about your data? These companies can be asked for this information right now. They will start to be fined next year if they can’t demonstrate compliance after May.”
3. Don’t Expect an Extension
Unlike most of the legal regulation battles we have in the US (for example, Net Neutrality), don’t expect someone to step in on May 24, 2018 and challenge the GDPR, thereby postponing the regulation indefinitely.
“This is the beauty of the way the regulations have been set up,” said Laroia. “Because they gave corporations a year to get their act right, there haven’t been any challenges out there from a litigation perspective. If we were going to see that, it would have already happened. Might someone do that after they get sued? I’m sure they’ll try, but it will look poorly on them at that point.”
4. What You’ll Need To Do To Comply
As the regulation requires, you’ll need to put someone in charge of managing the compliance process. This person, whom the GDPR law dubs the “Data Protection Officer (DPO),” will be the point person responsible for walking the GDPR oversight team through the ways in which your company has been securing its data. This person will also be responsible for pulling together the disparate lines of business within your company to produce a methodology for getting and staying GDPR-compliant.
To stay compliant, you’ll need to employ at least one encryption method for physical servers, network attached storage (NAS), disks and drives, and network access. You’ll need to verify employee identities and institute multi-factor authentication (MFA) when accessing PII and for transactions that include PII data. You’ll need to cut out any practices that access or process data for unauthorized purposes, constantly monitor and verify data to ensure relevance, and completely and irreversibly purge customer data when asked to do so. Organizations will be required to conduct full risk assessments and work with partners, especially those connected via application programming interfaces (APIs), to ensure ongoing compliance.
Finally, if your organization’s data is breached, then you’ll need to notify your associated GDPR supervisor immediately to describe the breach and its consequences in full. And you’ll need to communicate the ramifications of the breach to impacted customers.
5. US Customers
Laroia said it’s ultimately good business sense to safeguard and be good stewards of customer information. “You have to look at this from the vantage point of the end customer,” said Laroia. “They are the reason these companies are in business. Yes, while it is painful for the business, [some] companies haven’t invested in technology or kept up with the pace of innovation.”
Unfortunately, similar US regulations aren’t on the books. Companies doing business in New York under the New York Department of Financial Services’ Cyber Security Requirements are covered to a certain extent. This regulation requires New York-based businesses to implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body. This sets forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems, according to the written law.
Other states, such as Colorado, have discussed implementing similar regulations. However, no sweeping US federal law exists. But Laroia is optimistic the US will be next. “Americans have no such rights,” he said. “But give it five years.”