The General Data Protection Regulation legislation of the European Union applies to protections for the personal...
data of European residents regardless of whether you process that data inside the EU or not. U.S. companies that process such data will have to comply with the GDPR requirements when they go into effect on May 25, 2018.
Obey GDPR requirements -- or pay the consequences
Compliance is compelled through the use of fines, which can go as high as 4% of annual revenue, or 20 million Euros, whichever is greater. Any U.S. company that handles the personal data of any European residents is at risk.
GDPR requirements and how U.S. companies can meet them
The GDPR applies to all companies, of all sizes and locations, that collect or process protected data in any way. Organizations must treat European residents' data in a way that ensures appropriate security, "including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures" to comply with the regulation.
In article 32, the GDPR makes four recommendations to achieve the cybersecurity of European personal data:
- "the pseudonymization and encryption of personal data;"
- "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;"
- "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;" and
- "a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing."
U.S. companies can begin to meet GDPR requirements by first identifying all data being held by the company. (If there is not an existing data privacy officer in your company, GDPR is an excellent motivator to appoint one). Then companies may use approaches such as data minimization and pseudonymization or encryption as appropriate. Data minimization is an approach where you cannot capture or maintain more data than you need for the given application. Pseudonymization is a de-identification approach that permits you to use people's data without being able to identify the person behind the data. Encryption is necessary because companies that see data exposed or stolen may not have to make breach notifications because encryption rendered the data unintelligible.
To "ensure ongoing confidentiality, integrity, availability and resilience," you must consider state-of-the art technology approaches such as "monitoring systems for unauthorized changes in real time and encrypting data during all transmissions." You must supply "reports that these functions are actually occurring." You must determine your risk level using the Data Protection Impact Assessment in article 35 of the GDPR and show that you have implemented appropriate efforts to deliver security that addresses this risk level.
The third recommendation raises the question of what meets the definition of "timely." Experts have concluded that timely means much sooner than the previously adequate seven days. As a result, companies are much more likely to develop plans for business continuity and data recovery and confirm that DR technologies can recover both availability and access to data in the shortest time possible.
To do the necessary assessment and evaluation of technical and organizational measures, companies can use "threat simulations and continuous evaluation" of incident response plans, including regular backup testing. They should also use penetration testers for tests "ranging from [a] hands-off assessment of your controls to a full 'Red Team Exercise' where the testers act as malicious attackers," according to Alexander Dittel, with the Charles Speechlys law firm based in London.
Because fines are on a variable scale, more egregious violations will be subject to higher fines -- and that means, if a company decides to ignore GDPR entirely and hope they aren't in violation, they are more likely to get hit with a hefty fine. This probably includes companies that decide their EU business is not significant enough to bother with GDPR requirements. Presumably, taking some steps will likely be seen as a way to mitigate the size of the potential exposure to penalties.