In response to the ever-increasing number of high-profile data breaches, lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external threats. In December of 2015, the European Union agreed to a draft of one such legal framework known as the General Data Protection Rules, or the GDPR.
These rules, which are expected to go into effect in 2018, apply to any company that manages or processes the data of customers in the EU – regardless of where the company itself is based. Though clearly a step in the right direction in protecting the privacy of EU citizens, this newly agreed upon framework will pose a variety of challenges for U.S. businesses, many of which having never had to deal with this type of regulatory compliance prior. (For a European perspective on the GDPR, click here.)
Although we still have just less than 2 years before the GDPR kicks into effect, here are a few things U.S. businesses will need to know about this new privacy regulation:
- Creation of the Chief Privacy Officer: One of the most drastic changes brought about by the GDPR is the creation of an entirely new role within any organization that interacts with EU citizen information – the “Chief Privacy Officer.” In a nutshell, the CPO will be in charge of making sure that EU citizens’ data is compliant with GDPR regulation. And if things go wrong? The CPO’s neck will be on the line, facing large fines and even potential jail time if the data is not properly protected and compliant. The major hurdle in the creation of this new role is that thousands of CPO positions will need to be filled within the next two years. (Cough, IT skills gap, cough.)@sol
- Trust through Capabilities, not Contract: In the days of the GDPR’s predecessor, Safe Harbor, compliance was primarily based on a “trust through contract” model, allowing any certified entity to process personal data that had been transferred from Europe. (For an excellent recap of the overturning of Safe Harbor, scroll down to the “Data and International Regulations” portion of CEO Alan Kessler’s blog post, “2016: A Cybersecurity Market Odyssey.”) With the GDPR, organizations must now possess clearly demonstrable data protection capabilities for the data of EU citizens. In the coming years, it’s going to be interesting to see how many organizations will be forced to shift their business models dramatically in order to maintain compliance with GDPR regulation.
- Get-Out-of-Jail-Free Card: An interesting pillar of the GDPR framework involves notifying the victims of a data breach. According to the regulation:
“The communication to the data subject … shall not be required if: … the controller has implemented appropriate technical and organisational protection measures … to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption....”
So, if your organization experiences a breach involving the data of EU citizens but is able to prove the leaked data was encrypted, your organization is not required to disclose the breach. This is a welcomed surprise to see in the GDPR – a “get-out-of-jail-free” card, if you will, provided the data that left your organization was not compromised.
- Money, Money, Money: The GDPR comes out of the gate with a very sizeable potential impact on organizations found to be noncompliant. Any organization not meeting these standards will be slapped with fines of up to four percent of global revenues, or 20 million EUR (whichever is higher). The potential financial loss alone should serve as a much needed wakeup call for organizations currently sleeping on essential security requirements.
As we get closer toward the GDPR’s enactment, we’re going to see a lot more activity and questions from U.S.-based companies (and their legal counsel) around the day-to-day impact of this new legislation. Those two years will go quickly, and my advice for businesses is to start planning and mapping out their security strategies right away. In doing so, organizations can allow themselves the time to adopt the appropriate technologies and, ultimately, to prevent themselves from falling behind the (data privacy) curve.
Do you control or process PII of EU citizens and have questions about how the GDPR will affect your organization? Let’s chat. Tweet me @SolCates, or feel free to leave a comment below.