GDPR Will Impact Data Management In The USA

With Europe’s General Data Protection Regulation set to take effect on May 25, 2018, IT and data management leaders across the world, including those in the United States, should be preparing for the new requirements affecting organisations inside and outside of Europe.
 
You don’t have to have physical operations in Europe to be affected by the GDPR, and failure to prepare can have severe ramifications, including crippling fines.
 
Directives, Regulations, and Federalism
Data protection laws in Europe have had variances, as well. The difference between a directive and a regulation is important.
Under what is known commonly at the 1995 Directive, officially, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, European data protection law is somewhat like the federalism of US law.
 
In the US, one has 50 states, a federal district, and various territories making laws. At the same time, the EU—at least for the moment—has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). They make different laws that sometimes contradict each other. The 1995 Directive, which took effect in 1998, provides guidance, but Europeans sought a regulation that would harmonize European data protection laws.
 
Enter the General Data Protection Regulation (GDPR), which will become effective May 25, 2018. In this article, I’ll examine the rationale behind the new regulation, analyze the provisions of the GDPR, and let you know how you can prepare for next May.
 
Data Law Harmony in Europe
As an initial matter, I should note that—although many observers say simply the EU GDPR—the new regulation actually affects more than merely the EU.
 
First, the regulation itself is not merely for the 28 member states of the European Union. It is for the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. The GDPR is being integrated into the 1992 EEA Agreement.
 
Second, if you’re sitting in Des Moines, thinking, “I don’t care what the Europeans do, I’m in Iowa,” you probably should care because the GDPR affects not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals—regardless of the organization’s location. Yes, Des Moines, that means you, too.
 
At first glance, one would think the GDPR is good for cross-border business and for e-discovery with Europe. After all, with data protection laws and regulations harmonised among the 31 EEA nations, things should be easier, right? The problem is that some of the new provisions make European data protection law even more different from US law, a big challenge for international business and litigation.
 
What’s Changing?
To put the provisions of the GDPR in context, I should note the United States and Europe have very different views of data privacy. In the US, we tend to put greater value on free speech, and the right to evidence in litigation, than we do for data privacy. In fact, contrary to what many Americans think, there is no specific right to privacy in the US Constitution.
 
American courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. However, the original document is silent on the issue of privacy, and it wasn't until 1965 that the US Supreme Court articulated an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.
 
Contrast that with Europe. From the beginning of Europe to the tragic history of World War II, privacy has come to carry greater importance there. In fact, unlike in the US, privacy is a fundamental right in Europe under article 8 of the EU Charter of Fundamental Rights.
 
Controller v. Processor
When determining how the GDPR affects you, an initial consideration is whether you’re a data controller or merely a data processor. The difference is significant. Article 4 of the GDPR provides the following definitions:
A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
 
A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
 
GDPR article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organizational measures to ensure GDPR compliance. 
 
Processors do have certain limitations. For instance, GDPR article 28 provides that processors may not engage another data processor without permission of the data controller. Processors, too, must implement proper controls, and article 83 provides that GDPR fines apply to both controllers and processors.
 
Hefty Fines
One of the biggest data protection changes coming with the GDPR comes in the form of substantial fines. GDPR violations can result in fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater.
 
Consent
Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
 
Data Breach Notification
One of the more controversial provisions of the GDPR is that data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals. Critics worry the 72-hour notification is unrealistic at best and counterproductive at worst.
 
Right to Erasure
Known formerly as the “right to be forgotten,” these provisions were also controversial, giving data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.
 
Right to Access
The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.
 
Data Protection Officers
Another GDPR requirement is that companies appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, during negotiations on the GDPR, the number of organizations required to have a DPO was reduced substantially.
Although almost all public organizations will have to have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information will have to have them. Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.
 
Going Forward
Given these new requirements, how should you be preparing for the GDPR? I have a few tips:
 
• Obtain ISO 27001 Certification: Promulgated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the international standard for data security. ISO 27001 certification requires that an organization examine its information security threats and vulnerabilities, develop and implement security controls, and continue to monitor potential security threats. ISO 27001 certification won't ensure complete compliance with the GDPR, but it will go a long way.
• Hire a DPO or CISO: Hiring a data protection officer (DPO) is no longer a requirement for many companies under the GDPR. As I noted above, original drafts of the regulation required far more organizations to have a DPO, but just because the GDPR doesn't require you to have a DPO doesn't mean you shouldn't. Having a DPO or a chief information security officer (CISO) can help in achieving GDPR compliance and ISO 27001 certification.
• Hire a Consumer Data Ombudsman: Consumers have far greater rights vis-a-vis their data under the GDPR. Unless you want your DPO/CISO or other staffers bogged down with incessant customer data demands, create a role or department specifically for dealing with requests and complaints from data subjects.
• Use Consultants and the IAPP: Although the GDPR may be a wake-up call to many organizations, others have been monitoring and preparing for the GDPR during the years of negotiation. Consulting firms and organizations such as the International Association of Privacy Professionals (IAPP) can provide guidance, and the EU itself offers some insight.
• Build a Data Map: Under the GDPR, having a map of exactly what data you have and where that data reside is critical. If your data is flowing outside the EEA or the nations deemed to have adequate data protection standards, you need to know and take appropriate safeguards.
 
However, you prepare, time is of the essence. Next May will be here soon, and the EU will, in all likelihood, be making an example out of someone. Don’t let it be you.
 
Information-Management
 
You Might Also Read:
 
US Needs To Get Its Data Ready For GDPR:
 
What Does The UK’s Data Protection Bill Mean For Business?:
 
EU / US Privacy Shield Affects Your Organisation:
 
 
« 3D Mapping Can Locate Survivors In Burning Buildings
Startups Are Changing The Future Of Cybersecurity »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Computer Laboratory - University of Cambridge

Computer Laboratory - University of Cambridge

Computer security has been among the Laboratory’s research interests for many years, along with related topics such as cryptology

Herjavec Group

Herjavec Group

Herjavec Group's Managed Security Services practice defends your organization from increasingly sophisticated, targeted cybercrime threats.

H-11 Digital Forensics

H-11 Digital Forensics

H-11 Digital Forensics is a global leader of digital forensic technology.

CyberSec Hub - The Kosciuszko Institute

CyberSec Hub - The Kosciuszko Institute

The goal of CyberSec Hub is to create a centre of excellence for cybersecurity in Krakow, a new European “Cyber-Silicon Valley”.

Cyber Security Cloud (CSC)

Cyber Security Cloud (CSC)

Cyber Security Cloud provides web application security services worldwide using world's leading cyber threat intelligence and AI technology.

Research Institute in Secure Hardware and Embedded Systems (RISE)

Research Institute in Secure Hardware and Embedded Systems (RISE)

The UK Research Institute in Secure Hardware and Embedded Systems (RISE) seeks to identify and address key issues that underpin our understanding of Hardware Security.

PSafe

PSafe

PSafe is a leading provider of mobile privacy, security, and performance apps. We deliver innovative products that protect your freedom to safely connect, share, play, express and explore online.

Verica

Verica

Verica uses chaos engineering to make systems more secure and less vulnerable to costly incidents.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

CUBE3 AI

CUBE3 AI

CUBE3.AI is a web3 security platform that provides real-time transaction protection for smart contracts, safeguarding against cyber exploits, fraud, and compliance risks.

ZeroGPT

ZeroGPT

ZeroGPT.com stands at the forefront of AI detection tools, specializing in the precise identification of ChatGPT-generated text.

Autobahn Security

Autobahn Security

Autobahn Security is a growing team of 80+ experts from 25+ nationalities, established in 5 countries. We’re working hard to make Autobahn Security the No. 1 solution for improved hacking-resilience.

Defendis

Defendis

Defendis develops AI-powered cybersecurity solutions for Government Agencies, Banks, and Businesses, designed to helps them contain data leaks, minimise damage, and proactively hunt for new threats.

CyberNINES

CyberNINES

CyberNINES is a business specializing in helping US Department of Defense contractors become compliant and attest to federal cybersecurity regulation requirements.

Neural Defend

Neural Defend

Neural Defend is a deepfake detection technology with proprietary algorithms and an AI agentic multi-layered of solution.