While May of 2018 seems far off into the future, the date looms for firms whose business requires them to collect,...
process or maintain data about any EU resident. That is when the EU's General Data Protection Regulation, the regime for protecting personal data in the EU, is scheduled to go into effect -- and it will apply to all companies processing EU resident data, no matter where the firms are located.
The new EU GDPR privacy regulation reforms and expands the data protections that previously had been enforced under the 1995 EU Data Protection Directive, also known as Directive 95/46/EC. The new privacy regulation adds obligations for companies handling personal data in any way, as well as giving individuals stronger rights over their data and imposing restrictions on the flow of data across international borders.
"GDPR actually creates a much wider scope," said Deema Freij, global data privacy officer at enterprise software maker Intralinks Inc. in New York. "The regulation will cover businesses -- even if they're not established in the EU -- if they process any data of EU citizens or residents. And it's interesting because you could be sitting in Australia, a million miles away, and yet you process EU residents' personal data, and that means it affects you. A lot of businesses are concerned, and they should be concerned and they should start taking it on board."
Changes implemented by the GDPR "will give people more control over their personal data and make it easier to access it," according to the European Commission Q&A on data protection reform. "They are designed to make sure that people's personal information is protected -- no matter where it is sent, processed or stored -- even outside the EU, as may often be the case on the internet."
Late last year, Věra Jourová, EU commissioner for justice, consumers and gender equality, said: "The reform will allow people to regain control of their personal data." She added that the new rules would give individuals easier access to their own data, the right to data portability through transferring personal data between service providers, clarification on the EU "right to be forgotten," and the right to be notified of a data breach involving the individual's data.
At the same time, Jourová noted that the reform would also impose clearer rules for businesses, starting with the establishment of a single set of rules for all EU member states -- and a single supervisory authority with which businesses must deal over data protection. Another key change is the requirement that "companies based outside of Europe will have to apply the same rules when offering services in the EU."
That last change is crucial because it means that any company with customers located in the EU -- or any company that maintains personal data about any EU resident -- is expected to comply with the new regulation. And that includes the UK, no matter what happens with the recent "Brexit" referendum vote.
"Britain leaving the European Union is not likely to change GDPR requirements for UK firms that do business in the EU," said David Berman, senior director of product marketing at CipherCloud. "If the firm collects personal information on EU 'data subjects,' then they should prepare for the more stringent rules for data privacy under the GDPR."
"The UK will need to create or revise many laws as they separate from the EU. The UK consumer privacy mindset is very strong and it is likely that they will stick to the GDPR timeline for enforcement starting in May 2018."
The definition of personal data under the GDPR is also expanded. The new regulation defines personal data as including "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
One result of the uptake of the EU GDPR privacy regulation is that compliance may require organizations and firms to appoint as many as 28,000 data protection officers prior to the 2018 deadline.
The potential risks of failing to properly implement and comply with the GDPR can be huge, with penalties for noncompliance possibly as high as 20 million euros (approximately $22.2 million) or 4% of the enterprise's annual global turnover -- whichever is higher.
However, smaller firms are likely to be impacted less. "There are certain things that small companies won't have to do, for example, potentially, having a data protection officer," Freij said. "Depending on whether it is their sole business to process data, how big are they, that sort of thing will be taken into account, so maybe they don't need a data protection officer, but they're going to have to implement the vast majority of things."
For any data leaving Europe, Freij said that a firm will need to be able to document that it is permitted to transfer that data. Likewise, firms will need to have the proper technical and organizational security measures in place to safeguard that data.
Getting ready to implement EU GDPR
Even with almost two years to prepare for the new regulation, there is still great uncertainty over GDPR. "A lot of people are concerned, and over 50% actually believe they are going to be fined under the GDPR, because it's such a complex regulation," Freij said.
Stephen Cobb, senior security researcher at ESET, said "GDPR's impact on the 'typical' enterprise is going to vary considerably, based on such factors as where the enterprise is located, where and with whom it does business, how it obtains any of the personally identifiable information it handles, and where it processes and stores PII."
As for getting ready for the new regulation, Cobb said "The first step is to review the GDPR's requirements relative to those factors. The impact may be minimal, but only if you never do business with anyone in Europe, and never handle any PII pertaining to residents of Europe, and the PII that you do handle never leaves the United States. This impact assessment needs to use the GDPR definition of PII, which is different from most U.S. definitions, while bearing in mind that any cloud services you currently use to handle PII may be moving such data into or through Europe without your knowledge."
Preparing for the new EU GDPR regulation in the cloud will also call for attention. Jamie Barnett, chief marketing officer at cloud access security broker Netskope, said that it's important to be aware of what data is going into and out of cloud applications. She suggested that the first step is to "understand what applications are in your environment, but very soon after that, figure out where your most critical data are flowing to and from, and where they are at rest in. And then understand that data, vis-à-vis the kind of data that either you shouldn't have in the cloud, or, if you have in the cloud you have the appropriate protections given the GDPR requirements."
With the EU GDPR looming, Freij suggested that there were many things to look at in order to prepare for the new regulation. For example, when considering a new vendor or creating a new product, there is a need to develop a privacy impact assessment. It becomes important to vet a vendor for their ability to comply with the new regulation, to determine whether it is ready to comply, as well.
"Is that product or is that vendor going to be handling personal data? If they are, what type of security are we using?" Freij asked. "How much personal data is going to have to go through it? Where is it going to flow? How is it going to sit? All these questions have to be answered. From a holistic perspective, what is their privacy strategy? Do they have proper policies and governance structures in place? Are their employees being trained on data privacy? Do they have to go through certifications on data privacy? If they have employees specifically who handle personal data rather than the whole consensus of your employees, are they being given particular training in data privacy?"
Editor's note: Stay tuned for part 2 of this series on the EU GDPR.
Read about how Adobe, Google and Microsoft are preparing for GDPR.